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Preface 


This  National  Institute  of  Standards  and  Technology  Interagency  Report  (NISTIR)  is  a 
compendium  of  computer  security  training  and  awareness  courses.  The  purpose  of  this 
publication  is  to  assist  federal  agencies  locate  computer  security  training  resources.  This 
publication  is  part  of  a continuing  NIST  effort  to  support  federal  agencies  in  accordance  with 
NIST’s  mandate  under  the  Computer  Security  Act  of  1987.  These  courses  are  organized  into 
training  areas  within  audience  categories  as  defined  in  NIST  Special  Publication  500-172, 
Computer  Security  Training  Guidelines. 

NIST  Special  Publication  500-172  was  developed  to  provide  a framework  for  identifying 
computer  security  training  requirements  for  a diversity  of  audiences.  It  focuses  on  learning 
objectives  based  upon  the  extent  to  which  computer  security  knowledge  is  required  by  an 
individual  as  it  applies  to  his  or  her  job  function. 

A training  matrix  was  introduced  in  Special  Publication  500-172  to  assist  agencies  in  designing 
training  that  meets  the  learning  objectives  for  a particular  group.  The  training  and  awareness 
courses  in  this  compendium  have  been  mapped  to  the  matrix  (see  appendix  A)  by  the  training 
organization/vendor. 

The  National  Institute  of  Standards  and  Technology  (NIST)  makes  no  claim  or  endorsement  of 
the  computer  security  courses  or  their  currency  in  this  compendium.  Courses  listed  in  the 
compendium  were  sent  in  as  a result  of  a public  data  call  during  the  1991  calendar  year.  The 
data  call  consisted  of  a letter  of  invitation  to  known  sources  of  trainers  as  provided  by  the 
Federal  Computer  Security  Program  Managers’  Forum:  and  the  Federal  Information  Systems 
Security  Educators’  Association.  In  addition,  a CSL  Newsletter  was  disseminated  nationwide 
inviting  vendors  to  participate  in  this  effort.  Therefore,  this  listing  is  not  a complete  source  of 
all  available  security  related  courses. 

Vendors  already  listed  are  encouraged  to  continue  to  send  in  changes/updates  and  new  vendors 
are  invited  to  send  in  their  computer  security  courses.  (See  address  below.)  NIST  expresses  its 
appreciation  to  the  many  federal,  academic,  and  vendor  organizations  that  participated  in  this 
effort  for  their  time  and  interest  in  mapping  their  courses  to  the  matrix  in  NIST  Special 
Publication  500-172. 

Questions  or  comments  regarding  this  publication  should  be  addressed  to  Kathie  Everhart,  Office 
of  the  Associate  Director  for  Computer  Security,  Computer  Systems  Laboratory,  Building  225, 
Room  B154,  National  Institute  of  Standards  and  Technology,  Gaithersburg,  MD,  20899. 

Additional  copies  of  this  NISTIR  may  be  purchased  through  the  National  Technical  Information 
Service,  Springfield,  VA.  22161,  telephone:  (703)  487-4650.  SP500-172  may  be  purchased 
through  the  Government  Printing  Office,  telephone:  (202)  783-3238. 
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COMPUTER  SECURITY  BASICS 
FOR  EXECUTIVES 


COURSE  TITLE:  Computer  Security  For  End  Users 
COURSE  LENGTH:  1 DAY 

VENDOR 

USDA,  Graduate  School 
600  Maryland  Ave,  SW 
Washington,  DC  20024 
(202)  447-7124 

This  workshop  will  give  you  an  overview  of  the  threats  to,  and 
vulnerabilities  of,  computer  systems,  and  appropriate  safeguards 
to  protect  those  systems.  We  will  stress  your  role  in  the 
protection  of  sensitive  data,  and  in  the  prevention  and  detection 
of  computer  crime.  You  will  receive  checklists  and  suggestions 
for  becoming  more  aware  of  possible  computer  security  problems  in 
your  office,  and  you  will  be  able  to  get  advice  on  how  to  deal 
with  concerns  that  are  specific  to  your  agency  or  installation. 


COURSE  TITLE:  Computer  Security  For  Executives 
COURSE  LENGTH:  3 HRS 

VENDOR 

USDA,  Graduate  School 
600  Maryland  Ave,  SW 
Washington,  DC  20024 
(202)  447-7124 

This  briefing  will  give  you  a basic  understanding  of  computer 
security.  It  includes  an  overview  of  threats  and  vulnerabilities 
to  computer  systems  and  your  responsibility  for  the  assessment  of 
your  agency’s  computer  security  program.  We  will  review  briefly 
the  history  of  computers,  then  examine  current  dependencies  on 
computers,  applicable  laws  and  regulations,  computer  crime, 
viruses,  and  touch  on  espionage.  Bring  your  questions  because 
the  briefing  is  designed  to  be  responsive  to  your  needs.  Time 
has  been  reserved  at  various  points  for  you  to  raise  concerns 
from  your  individual  agency  perspective. 
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COURSE  TITLE:  Computer  Security  Awareness  Training 
COURSE  LENGTH:  3 HRS 


VENDOR 

GSA  Training  Center 
P.O.  Box  15608 
ArUngton,  VA  22215-0608 
(703)  557-0885 

Participants  learn  to  be  aware  of  threats  to  and  vulnerabilities 
of  computer  systems,  as  well  as  to  encourage  use  of  improved 
security  practices.  Topics  include:  Computer  Security  Act  of 
1987;  computer  fraud,  waste,  and  abuse;  and  types  of  computer 
hackers.  Also  discussed  are  natural  disasters  and  human  errors 
relating  to  computer  security. 


COURSE  ITfLE:  Information  Risk  Assessment  & Security  Management 
COURSE  LENGTH:  1 SEM 

VENDOR 

University  of  Maryland,University  CoU 
University  Boulevard  at  Adelphi  Road 
College  Park,  MD  20742-1614 
(301)  985-7155 

An  examination  of  the  proliferation  of  corporate  data  bases  and 
the  development  of  telecommunications  network  technology  as 
gateways  or  invitations  to  intrusion.  Ways  of  investigating  the 
management  of  the  risk  and  security  data  and  data  systems  are 
presented  as  a function  of  design  through  recovery  and 
protection.  Issues  of  risk  and  security,  as  they  relate  to 
specific  industries  and  government,  are  major  topics  in  the 
course.  Examples  are  presented  of  how  major  technological 
advances  in  computer  and  operating  systems  have  placed  data,  as 
tangible  corporate  assets,  at  risk.  Both  quantitative  sampling 
techniques  for  risk  assessment  and  for  qualitative 
decision-making  under  uncertainty  are  explored. 
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COURSE  ITl’LE:  EDP  AuditingiThe  First  Step 
COURSE  LENGTH:  3 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  VaUey,  CA  93093 
(805)  583-3723 

This  seminar  provides  financial  auditors  or  new  information 
systems  auditors  with  the  skills  required  to  audit  complex 
automated  applications.  Detailed  coverage  of  computerized 
controls  is  provided  to  ensure  participants  understand  the  key 
controls  and  how  to  audit  them.  They  will  also  learn  how  to 
audit  the  data  center,  data  security,  systems  under  development 
and  how  to  design  audit  software  tests.  In  addition,  we  have 
included  a special  section  on  EDI  which  explains  the  concepts, 
the  economics  and  key  controls  available  to  ensure  electronic 
transactions  are  processed  accurately  and  efficiently.  A special 
section  on  Auditing  Trading  Partner  Agreements  is  devoted  to 
minimizing  the  negative  impact  of  EDI  and  protecting  your 
organization.  Each  participant  will  receive  detailed  checklists 
and  comprehensive  audit  programs  so  they  can  perform  Information 
Systems  audits.  The  audit  experiences  related  by  the  instmctors 
provides  valuable  insight  on  how  to  locate,  identify  and  rectify 
control  weaknesses  in  a computerized  environment. 
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COURSE  TITLE:  Computer  Security  Executive  Overview 
COURSE  LENGTH:  2 HRS 


VENDOR 

Department  of  Justice  Training  Center 
Suite  304,  Indiana  Building 
633  Indiana  Avenue,  NW 
Washington,  DC  20530 
(202)  307-0528 

This  briefing  is  designed  for  executive  personnel  and  will  present  an  overview  of  applicable 
laws  and  other  requirements  for  computer  security.  The  course  will  emphasize 
implementation  of  these  requirements  at  the  executive  management  level,  and  the  role  of 
senior  management  in  supporting  security  initiatives.  The  objectives  are  to  aid  executives  in 
meeting  their  responsibilities  under  the  Computer  Security  Act  of  1987  by;  Presenting  an 
overview  of  computer  security  program  elements;  emphasizing  executive  management 
strategies  for  ensuring  cost-effective  implementation  of  computer  security  programs;  and 
explaining  the  risk  management  decision  process.  Spaces  are  available  to  other  federal 
agencies. 
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COURSE  TITLE:  Application  Auditing 
COURSE  LENGTH:  3 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

Using  the  CANAUDIT  approach  to  auditing,  participants  will  learn 
the  risks  associated  with  financial  systems,  what  can  go  wrong 
and  the  need  for  strong  cost-effective  internal  control. 

Emphasis  is  placed  on  developing  creative  audit  programs  that 
stress  control  and  more  importantly,  business  solutions  to 
control  weaknesses.  Our  approach  recognized  that  application 
auditing  is  more  than  compliance  auditing.  We  have  combined 
financial  auditing  with  the  principles  of  EDP  and  operational 
auditing.  Participants  will  learn  how  to  incorporate  these 
functions  into  their  audits  including  when  to  ask  for  assistance 
from  Technical  EDP  and  Operational  Audit  Specialists.  This 
course  uses  comprehensive  case  studies  to  reinforce  the  lecture 
and  discussions.  All  participants  will  receive  a series  of 
application  oriented  audit  programs  which  can  be  tailored  to 
their  organization. 
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COURSE  ITl’LE:  Auditing  AS/400: A Step  By  Step  Approach 
COURSE  LENGTH:  2 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  VaUey,  CA  93093 
(805)  583-3723 

IBM’s  AS/400  computer  series  is  rapidly  becoming  the  work  horse 
of  the  mini  and  midi  computer  world.  With  a broad  industry  base, 
this  multi  functional  machine  serves  as  a primary  business 
platform,  as  a front  end  processor  or  as  a process  controller. 

This  intensive  seminar  concentrates  on  the  control  and  security 
concerns  relating  to  the  AS/400.  The  participants  will  learn  how 
to  automate  the  audit  using  ROBOT,  utilities  and  AS/400  tools. 
Key  control  points  are  identified  to  enable  auditors  to  focus 
their  efforts  to  ensure  a complete  audit  while  reducing  the  audit 
duration.  Actual  case  studies  are  used  throughout  the  seminar  to 
provide  real  life  examples  to  reinforce  the  audit  programs  and 
techniques. 
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COURSE  TITLE:  Information  seminar  For  Internal  Auditors 
COURSE  LENGTH:  5 DAY 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

This  introductory  seminar  of  computer  concepts  and  controls  is 
designed  for  the  MIS  or  internal  auditing  professional  who  needs 
to  learn  about  basic  computer  concepts,  computer  controls  and 
security,  system  life  cycle  planning  and  control,  and  contingency 
planning.  Individuals  with  these  backgrounds  who  complete  this 
seminar  will  be  exposed  to  every  major  aspect  of  information 
systems  auditing  and  should  be  able,  with  the  tools  provided  in 
the  seminar,  to  perform  basic  IS  Audits.  In  addition,  the 
seminar  wiU  emphasize  how  ISA  is  integrated  with  the  internal 
audit  process.  This  is  a five-day,  classroom  program  consisting 
of  stand-alone  modules  that  can  be  presented  as  a whole  or 
modules  can  be  selected  to  provide  training  on  specific  subjects 
in  shorter-duration  programs.  CaU  the  vendor  for  more 
information  regarding  the  following  modules  that  have  been 
selected  for  this  particular  training  area: 

Module  3-Getting  Started 

Module  5-Overview  of  the  ISA  Function 

Module  6-Overview  of  Computer  Operations 

Module  7- A Management  Approach  to  Computer  Fraud 

Module  8-Introduction  to  General  Controls 

Module  9-Organization  and  Administration 

Module  23-Introduction  to  Application  Control  Reviews 
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COURSE  ITl'LE:  EDP  Concepts  For  Business 
COURSE  LENGTH:  SELF-PACED 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

EDP  Concepts  for  Business  is  an  interactive  computer-based 
training  (CBT)  program.  The  student  receives  information  and  is 
coached  based  upon  the  answers  to  teaching  questions.  This  was 
designed  to  involve  the  student,  be  flexible,  and  be  responsive 
to  the  student’s  needs;  this  format  focuses  on  the  student.  You 
need  only  an  IBM  PC,  XT,  AT,  or  any  IBM-compatible  microcomputer 
with  at  least  192K  memory.  Call  the  vendor  for  more  information 
regarding  the  following  modules  that  have  been  selected  for  this 
particular  training  area: 

Module  1 -Computers  and  Their  Components 
Module  2-Data  and  Data  Processing 
Module  3-Programs  and  Languages 
Module  5-EDP  Personnel 
Module  6-Access  Control  and  Security 
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COURSE  TITLE:  Computer  Security  Awareness 
COURSE  LENGTH:  1 HR 


VENDOR 

Booz- Allen  & Hamilton  Inc. 

4330  East  West  Highway 
Bethesda,  MD  20814-4455 
Victor  Marshall 
(301)  951-4672 

The  purpose  of  this  course  is  to  provide  participants  with  an 
awareness  of  computer  security,  to  sensitize  them  to  the  need  for 
computer  security  policies  and  practices  in  the  workplace,  and  to 
motivate  each  individual  to  practice  effective  computer  security 
techniques.  The  instructional  content  of  the  course  is  composed 
of:requirements  of  computer-security-related  laws  and  circulares; 
definitions  and  examples  of  basic  computer  security  terms;  the 
increasing  concern  to  protect  computer  assets;  and  basic 
computer  practices,  controls,  and  countermeasures. 
NOTE:Contact  the  vendor  for  information  concerning  specialized 
agency  training. 


COURSE  TITLE:  Microcomputer  Security 
COURSE  LENGTH:  2 HRS 

VENDOR 

Booz- Allen  & Hamilton  Inc. 

4330  East  West  Highway 
Bethesda,  MD  20814-4455 
Victor  Marshall 
(301)  951-4672 

The  purpose  of  this  microcomputer  security  course  is  to  sensitize 
participants  to  the  need  for  microcomputer  security  and  to 
provide  each  individual  with  some  practical  tools  to  protect 
their  microcomputer  assets,  especially  the  stored  information. 

The  course  provides  practical  information  on  computer  security 
that  microcomputer  users  can  implement  immediately. 

NOTE: Contact  the  vendor  for  information  concerning  specialized 
agency  training. 
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COURSE  ITI  LE:  Computer  Security  Awareness 
COURSE  LENGTH:  5-8  HRS 


VENDOR 

DPEC 

1679  Old  Henderson  Road 
Columbus,  OH  43220-3644 
(800)  223-3732 

This  is  a Computer  Based  Training  (CBT)  course  using  the 
framework  of  administrative,  physical  and  logical  security. 
Computer  Security  Awareness  explains  contingency  planning  and 
precautions  against  computer  crime  from  the  viewpoint  of 
mainframe  computers  and  micros;  a computer  security  checklist  is 
included.  This  is  a modular  course  lasting  5-8  hours.  The 
number  of  hours  is  based  upon  a student  interacting  with 
approximately  60-120  screens  per  hour. 
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SECURITY  PLANNING  AND  MANAGEMENT 
FOR  EXECUTIVES 


COURSE  iilLE:  Information  Risk  Assessment  & Security  Management 
COURSE  LENGTH:  1 SEM 

VENDOR 

University  of  Maryland,University  Coll 
University  Boulevard  at  Adelphi  Road 
CoUege  Park,  MD  20742-1614 
(301)  985-7155 

An  examination  of  the  proliferation  of  corporate  data  bases  and 
the  development  of  telecommunications  network  technology  as 
gateways  or  invitations  to  intmsion.  Ways  of  investigating  the 
management  of  the  risk  and  security  data  and  data  systems  are 
presented  as  a function  of  design  through  recovery  and 
protection.  Issues  of  risk  and  security,  as  they  relate  to 
specific  industries  and  government,  are  major  topics  in  the 
course.  Examples  are  presented  of  how  major  technological 
advances  in  computer  and  operating  systems  have  placed  data,  as 
tangible  corporate  assets,  at  risk.  Both  quantitative  sampling 
techniques  for  risk  assessment  and  for  qualitative 
decision-making  under  uncertainty  are  explored. 
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COURSE  ITILE:  Computer  Security  & Contingency  Planning  | 

COURSE  LENGTH:  3 DAY  i 

VENDOR 
Canaudit  Inc. 

P.O.  Box  4150  I 

Simi  Valley,  CA  93093  | 

(805)  583-3723  j 

Security  Administration  is  now  a reality  in  many  organizations. 

Other  companies  that  do  not  currently  have  a security  administration  function  are  considering, 

or  are  in  the  process  of  creating  the  security  function.  This  seminar  is  designed  to 

remove  the  mystery  surrounding  data  security,  and  to  provide 

participants  with  a proven  approach  to  securing  their  computer 

systems.  At  the  end  of  the  session,  participants  will  understand 

security  administration  and  the  critical  items  that  must  be 

included  to  enable  the  function  to  perform  effectively.  They 

will  be  able  to  classify  data  by  criticality  and  confidentiality. 

They  will  have  an  understanding  of  logical  access  security, 
disaster  contingency  planning,  and  how  to  develop  and  implement 
security  procedures  in  their  organization. 
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COURSE  TITLE:  Information  Systems  Seminar  For  Internal  Auditors 
COURSE  LENGTH:  5 DAY 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

This  introductory  seminar  of  computer  concepts  and  controls  is 
designed  for  the  MIS  or  internal  auditing  professional  who  needs 
to  learn  about  basic  computer  concepts,  computer  controls  and 
security,  system  life  cycle  planning  and  control,  and  contingency 
planning.  Individuals  with  these  backgrounds  who  complete  this 
seminar  will  be  exposed  to  every  major  aspect  of  information 
systems  auditing  and  should  be  able,  with  the  tools  provided  in 
the  seminar,  to  perform  basic  IS  Audits.  In  addition,  the 
seminar  will  emphasize  how  ISA  is  integrated  with  the  internal 
audit  process.  This  is  a five-day,  classroom  program  consisting 
of  stand-alone  modules  that  can  be  presented  as  a whole  or 
modules  can  be  selected  to  provide  training  on  specific  subjects 
in  shorter-duration  programs.  Call  the  vendor  for  more 
information  regarding  the  following  modules  that  have  been 
selected  for  this  particular  training  area: 

Module  3-Getting  Started 

Module  4-Planning  the  IS  Audit 

Module  5-Overview  of  the  ISA  Function 

Module  7- A Management  Approach  to  Computer  Fraud 

Module  8-Introduction  to  General  Controls 

Module  23-Introduction  to  Application  Control  Reviews 
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COURSE  rn'LE:  EDP  Concepts  For  Business 
COURSE  LENGTH:  SELF-PACED 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

EDP  Concepts  for  Business  is  an  interactive  computer-based 
training  (CBT)  program.  The  student  receives  information  and  is 
coached  based  upon  the  answers  to  teaching  questions.  This  was 
designed  to  involve  the  student,  be  flexible,  and  be  responsive 
to  the  student’s  needs;  this  format  focuses  on  the  student.  You 
need  only  an  IBM  PC,  XT,  AT  or  any  IBM-compatible  microcomputer 
with  at  least  192K  memory.  Call  the  vendor  for  more  information 
regarding  the  following  module  that  has  been  selected  for  this 
particular  training  area: 

Module  6-Access  Control  and  Security 
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COMPUTER  SECURITY  POLICY  AND  PROCEDURES 
FOR  EXECUTIVES 


COURSE  TITLE:  Information  Risk  Assessment  & Security  Management 
COURSE  LENGTH:  1 SEMESTER 

VENDOR 

University  of  Maryland, University  Coll 
University  Boulevard  at  Adelphi  Road 
College  Park,  MD  20742-1614 
(301)  985-7155 

An  examination  of  the  proliferation  of  corporate  data  bases  and 
the  development  of  telecommunications  network  technology  as 
gateways  or  invitations  to  intrusion.  Ways  of  investigating  the 
management  of  the  risk  and  security  data  and  data  systems  are 
presented  as  a function  of  design  through  recovery  and 
protection.  Issues  of  risk  and  security,  as  they  relate  to 
specific  industries  and  government,  are  major  topics  in  the 
course.  Examples  are  presented  of  how  major  technological 
advances  in  computer  and  operating  systems  have  placed  data,  as 
tangible  corporate  assets,  at  risk.  Both  quantitative  sampling 
techniques  for  risk  assessment  and  for  qualitative 
decision-making  under  uncertainty  are  explored. 
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COURSE  ITl'LE:  UNIX  Systems  Security 
COURSE  LENGTH:  3 DAY 


VENDOR 

Trainix 

1686  Bismark  Drive 
Deltona,  FL  32723 
(904)  789-1769 

This  course  discusses  UNIX  security  and  how  system  managers  and 
administrators  can  implement  security  measures  on  UNIX.  The 
focus  of  the  course  is  on  the  inherent  security  vulnerabilities 
commonly  found  on  UNIX  systems  and  how  to  correct  them.  Examples 
are  presented  which  illustrate  how  to  insure  a high  level  of 
security  confidence  against  unauthorized  users  from  accessing  the 
system.  The  common  methods  used  to  penetrate  UNIX  systems,  gain 
unauthorized  root  access  permission,  become  another  user,  plant 
trojan  horses  or  spoofs,  and  other  ways  of  circumventing  the 
normal  system  protection  are  disclosed.  Each  attendee  wUl 
receive  detailed  audit  checklists  and  a diskette  containing  UNIX 
shell  and  C programs  which  will  assist  in  performing  security 
auditing  and  risk  analysis.  Prerequisites;  UXOOl -Fundamentals  of 
UNIX  and  UX006-UNIX  System  Administration.  A knowledge  of  Shell 
and  C programming  is  helpful. 
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COURSE  TITLE:  UNIX  Security  For  Users 
COURSE  LENGTH:  1 DAY 


VENDOR 

Trainix 

1686  Bismark  Drive 
Deltona,  FL  32723 
(904)  789-1769 

This  seminar  is  designed  to  make  all  users  aware  of  the  UNIX 
security  vulnerabilities  and  show  them  how  to  prevent  an 
unauthorized  user  from  compromising  their  login  account  or  data. 

The  security  features  which  are  provided  as  part  of  the  operating 
system  are  first  discussed.  Then,  some  of  the  ways  in  which 
unauthorized  people  may  use  to  gain  access  to  a UNIX  system  or 
another  users  files  and  directories  are  discussed.  Next,  the 
ways  of  preventing  unauthorized  access  are  described  in  detail, 
along  with  exact  descriptions  of  each  UNIX  command  and  the  way  it 
is  used.  Each  attendee  will  be  provided  with  a self-assessment 
checklist  and  sample  programs  which  will  allow  them  to  perform  a 
personal  audit  on  their  account.  The  seminar  concludes  with  a 
discussion  of  the  actions  a user  should  take  if  they  suspect 
compromise  of  their  login  and/or  files. 
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COURSE  ITl'LE:  Auditing  AS/400:A  Step  By  Step  Approach 
COURSE  LENGTH:  2 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

IBM’s  AS/400  computer  series  is  rapidly  becoming  the  work  horse 
of  the  mini  and  midi  computer  world.  With  a broad  industry  base, 
this  multi  functional  machine  serves  as  a primary  business 
platform,  as  a front  end  processor  or  as  a process  controller. 

This  intensive  seminar  concentrates  on  the  control  and  security 
concerns  relating  to  the  AS/400.  The  participants  will  learn  how 
to  automate  the  audit  using  ROBOT,  utilities  and  AS/400  tools. 
Key  control  points  are  identified  to  enable  auditors  to  focus 
their  efforts  to  ensure  a complete  audit  while  reducing  the  audit 
duration.  Actual  case  studies  are  used  throughout  the  seminar  to 
provide  real  life  examples  to  reinforce  the  audit  programs  and 
techniques. 
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COURSE  TITLE:  Information  Systems  Seminar  For  Internal  Auditors 
COURSE  LENGTH:  5 DAY 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
Louisville,  KY  40232-9691 
(800)  289-5745 

This  introductory  seminar  of  computer  concepts  and  controls  is 
designed  for  the  MIS  or  internal  auditing  professional  who  needs 
to  learn  about  basic  computer  concepts,  computer  controls  and 
security,  system  life  cycle  planning  and  control,  and  contingency 
planning.  Individuals  with  these  backgrounds  who  complete  this 
seminar  wUl  be  exposed  to  every  major  aspect  of  information 
systems  auditing  and  should  be  able,  with  the  tools  provided  in 
the  seminar,  to  perform  basic  IS  Audits.  In  addition,  the 
seminar  will  emphasize  how  ISA  is  integrated  with  the  internal 
audit  process.  This  is  a five-day,  classroom  program  consisting 
of  stand-alone  modules  that  can  be  presented  as  a whole  or  in 
shorter-duration  programs.  Call  the  vendor  for  more  information 
regarding  the  following  modules  that  have  been  selected  for  this 
particular  training  area: 

Module  6-Overview  of  Computer  Operations 
Module  9-Organization  and  Administration 
Module  10- System  Development  Life  Cycle 
Module  11-Change  Control  and  Management 
Module  13-"The  Time  Bomb" 

Module  14- Access  Control 
Module  16-Program  Execution 
Module  17-Continuity  of  Operations 
Module  20-Data  Bases 
Module  21 -Minicomputer  Systems 
Module  22-Microcomputer  Systems 
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COURSE  TH  LE:  EDP  Concepts  For  Business 
COURSE  LENGTH:  SELF-PACED 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

EDP  Concepts  for  Business  is  an  interactive  computer-based 
training  (CBT)  program.  The  student  receives  information  and  is 
coached  based  upon  the  answers  to  teaching  questions.  This  was 
designed  to  involve  the  student,  be  flexible,  and  be  responsive 
to  the  student’s  needs;  this  format  focuses  on  the  student.  You 
need  only  an  IBM  PC,  XT,  AT,  or  any  IBM-compatible  microcomputer 
with  at  least  192K  memory.  Call  the  vendor  for  more  information 
regarding  the  following  modules  that  have  been  selected  for  this 
particular  training  area; 

Module  2-Data  and  Data  Processing 
Module  3-Programs  and  Languages 


COURSE  TITLE:  Microcomputer  Security 
COURSE  LENGTH:  2 HRS 

VENDOR 

Booz-AUen  & Hamilton  Inc. 

4330  East  West  Highway 
Bethesda,  MD  20814-4455 
Victor  Marshall 
(301)  951-4672 

The  purpose  of  this  microcomputer  security  course  is  to  sensitize 
participants  to  the  need  for  microcomputer  security  and  to 
provide  each  individual  with  some  practical  tools  to  protect 
their  microcomputer  assets,  especially  the  stored  information. 

The  course  provides  practical  information  on  computer  security 
that  microcomputer  users  can  implement  immediately. 
NOTE:Contact  the  vendor  for  information  concerning  specialized 
agency  training. 
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CONTINGENCY  PLANNING 
FOR  EXECUTIVES 


COURSE  ITlLE:  EDP  Auditing:The  First  Step 
COURSE  LENGTH:  3 DAY 

VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

This  seminar  provides  financial  auditors  or  new  information 
systems  auditors  with  the  skills  required  to  audit  complex 
automated  applications.  Detailed  coverage  of  computerized 
controls  is  provided  to  ensure  participants  understand  the  key 
controls  and  how  to  audit  them.  They  will  also  learn  how  to 
audit  the  data  center,  data  security,  systems  under  development 
and  how  to  design  audit  software  tests.  In  addition,  we  have 
included  a special  section  on  EDI  which  explains  the  concepts, 
the  economics  and  key  controls  available  to  ensure  electronic 
transactions  are  processed  accurately  and  efficiently.  A special 
section  on  Auditing  Trading  Partner  Agreements  is  devoted  to 
minimizing  the  negative  impact  of  EDI  and  protecting  your 
organization.  Each  participant  will  receive  detailed  checklists 
and  comprehensive  audit  programs  so  they  can  perform  Information 
Systems  audits.  The  audit  experiences  related  by  the  instructors 
provides  valuable  insight  on  how  to  locate,  identify  and  rectify 
control  weaknesses  in  a computerized  environment. 
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COURSE  TITLE:  Computer  Security  & Contingency  Planning 
COURSE  LENGTH:  3 DAY 

VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

Security  Administration  is  now  a reality  in  many  organizations. 
Other  companies  that  do  not  currently  have  a security 
administration  function  are  considering,  or  are  in  the  process  of 
creating  the  security  function.  This  seminar  is  designed  to 
remove  the  mystery  surrounding  data  security,  and  to  provide 
participants  with  a proven  approach  to  securing  their  computer 
systems.  At  the  end  of  the  session,  participants  will  understand 
security  administration  and  the  critical  items  that  must  be 
included  to  enable  the  function  to  perform  effectively.  They 
will  be  able  to  classify  data  by  criticality  and  confidentiality. 

They  will  have  an  understanding  of  logical  access  security, 
disaster  contingency  planning,  and  how  to  develop  and  implement 
security  procedures  in  their  organization. 
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COURSE  TITLE:  Information  Systems  Seminar  For  Internal  Auditors 
COURSE  LENGTH:  5 DAY 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

This  introductory  seminar  of  computer  concepts  and  controls  is 
designed  for  the  MIS  or  internal  auditing  professional  who  needs 
to  learn  about  basic  computer  concepts,  computer  controls  and 
security,  system  life  cycle  planning  and  control,  and  contingency 
planning.  Individuals  with  these  backgrounds  who  complete  this 
seminar  will  be  exposed  to  every  major  aspect  of  information 
systems  auditing  and  should  be  able,  with  the  tools  provided  in 
the  seminar,  to  perform  basic  IS  Audits.  In  addition,  the 
seminar  will  emphasize  how  ISA  is  integrated  with  the  internal 
audit  process.  This  is  a five-day,  classroom  program  consisting 
of  stand-alone  modules  that  can  be  presented  as  a whole  or  in 
shorter-duration  programs.  Call  the  vendor  for  more  information 
regarding  the  following  modules  that  have  been  selected  for  this 
particular  training  area: 

Module  8-Introduction  to  General  Controls 
Module  17-Continuity  of  Operations 
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COURSE  ITl’LE:  EDP  Concepts  For  Business 
COURSE  LENGTH:  SELF-PACED 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

EDP  Concepts  for  Business  is  an  interactive  computer-based 
training  (CBT)  program.  The  student  receives  information  and  is 
coached  based  upon  the  answers  to  teaching  questions.  This  was 
designed  to  involve  the  student,  be  flexible,  and  be  responsive 
to  the  student’s  needs;  this  format  focuses  on  the  student.  You 
need  only  an  IBM  PC,  XT,  AT,  or  any  IBM-compatible  microcomputer 
with  at  least  192K  memory.  Call  the  vendor  for  more  information 
regarding  the  following  module  that  has  been  selected  for  this 
particular  training  area; 

Module  6-Access  Control  and  Security 


COURSE  ri  I'LE:  Microcomputer  Security 
COURSE  LENGTH:  2 HRS 

VENDOR 

Booz-Allen  & Hamilton  Inc. 

4330  East  West  Highway 
Bethesda,  MD  20814-4455 
Victor  Marshall 
(301)  951-4672 

The  purpose  of  this  microcomputer  security  course  is  to  sensitize 
participants  to  the  need  for  microcomputer  security  and  to 
provide  each  individual  with  some  practical  tools  to  protect 
their  microcomputer  assets,  especially  the  stored  information. 

The  course  provides  practical  information  on  computer  security 
that  microcomputer  users  can  implement  immediately. 
NOTE'.Contact  the  vendor  for  information  concerning  specialized 
agency  training. 
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SYSTEMS  LIFE  CYCLE  MANAGEMENT 
FOR  EXECUTIVES 


COURSE  TITLE:  EDP  AuditingiThe  First  Step 
COURSE  LENGTH:  3 DAY 

VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  VaUey,  CA  93093 
(805)  583-3723 

This  seminar  provides  financial  auditors  or  new  information 
systems  auditors  with  the  skills  required  to  audit  complex 
automated  applications.  Detailed  coverage  of  computerized 
controls  is  provided  to  ensure  participants  understand  the  key 
controls  and  how  to  audit  them.  They  wiU  also  learn  how  to 
audit  the  data  center,  data  security,  systems  under  development 
and  how  to  design  audit  software  tests.  In  addition,  we  have 
included  a special  section  on  EDI  which  explains  the  concepts, 
the  economics  and  key  controls  available  to  ensure  electronic 
transactions  are  processed  accurately  and  efficiently.  A special 
section  on  Auditing  Trading  Partner  Agreements  is  devoted  to 
minimizing  the  negative  impact  of  EDI  and  protecting  your 
organization.  Each  participant  will  receive  detailed  checklists 
and  comprehensive  audit  programs  so  they  can  perform  Information 
Systems  audits.  The  audit  experiences  related  by  the  instructors 
provides  valuable  insight  on  how  to  locate,  identify  and  rectify 
control  weaknesses  in  a computerized  environment. 
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COURSE  nrLE:  Information  Systems  Seminar  For  Internal  Auditors 
COURSE  LENGTH:  5 DAY 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
Louisville,  KY  40232-9691 
(800)  289-5745 

This  introductory  seminar  of  computer  concepts  and  controls  is 
designed  for  the  MIS  or  internal  auditing  professional  who  needs 
to  learn  about  basic  computer  concepts,  computer  controls  and 
security,  system  life  cycle  planning  and  control,  and  contingency 
planning.  Individuals  with  these  backgrounds  who  complete  this 
seminar  wiU  be  exposed  to  every  major  aspect  of  information 
systems  auditing  and  should  be  able,  with  the  tools  provided  in 
the  seminar,  to  perform  basic  IS  Audits.  In  addition,  the 
seminar  will  emphasize  how  ISA  is  integrated  with  the  internal 
audit  process.  This  is  a five-day,  classroom  program  consisting 
of  stand-alone  modules  that  can  be  presented  as  a whole  or  in 
shorter-duration  programs.  Call  the  vendor  for  more  information 
regarding  the  following  modules  that  have  been  selected  for  this 
particular  training  area: 

Module  8-Introduction  to  General  Controls 
Module  10-System  Development  Life  Cycle 
Module  11 -Change  Control  and  Management 
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COURSE  rilLE:  EDP  Concepts  For  Business 
COURSE  LENGTH:  SELF-PACED 

VENDOR 
Ernst  & Young 
P.O.  Box  34260 
Louisville,  KY  40232-9691 
(800)  289-5745 

EDP  Concepts  for  Business  is  an  interactive  computer-based 
training  (CBT)  program.  The  student  receives  information  and  is 
coached  based  upon  the  answers  to  teaching  questions.  This  was 
designed  to  involve  the  student,  be  flexible,  and  be  responsive 
to  the  student’s  needs;  this  format  focuses  on  the  student.  You 
need  only  an  IBM  PC,  XT,  AT,  or  any  IBM-compatible  microcomputer 
with  at  least  192K  memory.  Call  the  vendor  for  more  information 
regarding  the  following  module  that  has  been  selected  for  this 
particular  training  area: 

Module  4-The  System  Development  Life  Cycle 
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COMPUTER  SECURITY  BASICS 
FOR  PROGRAM  AND  FUNCTIONAL  MANAGERS 


COURSE  ITI  LE:  Computer  Security  For  End  Users 
COURSE  LENGTH:  1 DAY 

VENDOR 

USDA,  Graduate  School 
600  Maryland  Ave,  SW 
Washington,  DC  20024 
(202)  447-7124 

This  workshop  wiU  give  you  an  overview  of  the  threats  to,  and 
vulnerabilities  of,  computer  systems,  and  appropriate  safeguards 
to  protect  those  systems.  We  will  stress  your  role  in  the 
protection  of  sensitive  data,  and  in  the  prevention  and  detection 
of  computer  crime.  You  will  receive  checklists  and  suggestions 
for  becoming  more  aware  of  possible  computer  security  problems  in 
your  office,  and  you  will  be  able  to  get  advice  on  how  to  deal 
with  concerns  that  are  specific  to  your  agency  or  installation. 


COURSE  TITLE:  Computer  Security  Awareness  Training 
COURSE  LENGTH:  3 HRS 

VENDOR 

GSA  Training  Center 
P.O.  Box  15608 
Arlington,  VA  22215-0608 
(703)  557-0885 

Participants  learn  to  be  aware  of  threats  to  and  vulnerabilities 
of  computer  systems,  as  well  as  to  encourage  use  of  improved 
security  practices.  Topics  include:  Computer  Security  Act  of 
1987;  computer  fraud,  waste,  and  abuse;  and  types  of  computer 
hackers.  Also  discussed  are  natural  disasters  and  human  errors 
relating  to  computer  security. 
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COURSE  TITLE:  Information  Risk  Assessment  & Security  Management 
COURSE  LENGTH:  1 SEMESTER 


VENDOR 

University  of  Maryland, University  College 
University  Boulevard  at  Adelphi  Road 
College  Park,  MD  20742-1614 
(301)  985-7155 

An  examination  of  the  proliferation  of  corporate  data  bases  and 
the  development  of  telecommunications  network  technology  as 
gateways  or  invitations  to  intrusion.  Ways  of  investigating  the 
management  of  the  risk  and  security  data  and  data  systems  are 
presented  as  a function  of  design  through  recovery  and 
protection.  Issues  of  risk  and  security,  as  they  relate  to 
specific  industries  and  government,  are  major  topics  in  the 
course.  Examples  are  presented  of  how  major  technological 
advances  in  computer  and  operating  systems  have  placed  data,  as 
tangible  corporate  assets,  at  risk.  Both  quantitative  sampling 
techniques  for  risk  assessment  and  for  qualitative 
decision-making  under  uncertainty  are  explored. 
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COURSE  rn'LE:  Introduction  to  Computer  Security  for  Managers 
COURSE  LENGTH:  8 HRS 


VENDOR 

Department  of  Justice  Training  Center 
Suite  304,  Indiana  Building 
633  Indiana  Avenue,  NW 
Washington,  DC  20530 
(202)  307-0528 

This  program  is  designed  to  provide  mid-level  managers  with  an 
overview  of  computer  security  program  planning  and  management. 
Presentation  will  emphasize  compliance  with  P.L.  100-235  and  other 
laws  and  requirements  for  classified  and  unclassified  systems. 
Discussion  wUl  emphasize  threats  against  sensitive  systems; 
capabilities  of  potential  adversaries;  asset  value;  sensitivity  and 
definition  of  protection  levels  appropriate  to  the  threat;  contingency 
planning;  and  management  risk  acceptance.  The  course  will  also  cover 
development  of  security  plans,  & implementing  computer  security 
programs  within  budget  and  staff  constraints.  The  objectives  are  to 
familiarize  mid-level  managers  with  computer  security  requirements  and 
responsibilities  and  to  increase  their  awareness  of  the  necessity  for 
computer  security.  Spaces  are  available  to  other  federal  agencies. 
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COURSE  rrrLE:  Information  Systems  Seminar  For  Internal  Auditors 
COURSE  LENGTH:  5 DAY 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
Louisville,  KY  40232-9691 
(800)  289-5745 

This  introductory  seminar  of  computer  concepts  and  controls  is 
designed  for  the  MIS  or  internal  auditing  professional  who  needs 
to  learn  about  basic  computer  concepts,  computer  controls  and 
security,  system  life  cycle  planning  and  control,  and  contingency 
planning.  Individuals  with  these  backgrounds  who  complete  this 
seminar  will  be  exposed  to  every  major  aspect  of  information 
systems  auditing  and  should  be  able,  with  the  tools  provided  in 
the  seminar,  to  perform  basic  IS  Audits.  In  addition,  the 
seminar  will  emphasize  how  ISA  is  integrated  with  the  internal 
audit  process.  This  is  a five-day,  classroom  program  consisting 
of  stand-alone  modules  that  can  be  presented  as  a whole  or 
modules  can  be  selected  to  provide  training  on  specific  subjects 
in  shorter-duration  programs.  Call  the  vendor  for  more 
information  regarding  the  following  modules  that  have  been 
selected  for  this  particular  training  area: 

Module  3-Getting  Started 

Module  5-Overview  of  the  ISA  Function 

Module  6-Overview  of  Computer  Operations 

Module  7- A Management  Approach  to  Computer  Fraud 

Module  8-Introduction  to  General  Controls 

Module  9-Organization  and  Administration 

Module  23-Introduction  to  Application  Control  Reviews 
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COURSE  TITLE:  EDP  Concepts  For  Business 
COURSE  LENGTH:  SELF-PACED 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

EDP  Concepts  for  Business  is  an  interactive  computer-based 
training  (CBT)  program.  The  student  receives  information  and  is 
coached  based  upon  the  answers  to  teaching  questions.  This  was 
designed  to  involve  the  student,  be  flexible,  and  be  responsive 
to  the  student’s  needs;  this  format  focuses  on  the  student.  You 
need  only  an  IBM  PC,  XT,  AT,  or  any  IBM-compatible  microcomputer 
with  at  least  192K  memory.  Call  the  vendor  for  more  information 
regarding  the  following  modules  that  have  been  selected  for  this 
particular  training  area: 

Module  1 -Computers  and  Their  Components 
Module  2-Data  and  Data  Processing 
Module  3-Programs  and  Languages 
Module  5-EDP  Personnel 
Module  6-Access  Control  and  Security 


32 


COURSE  TITLE:  Computer  Security  Awareness 
COURSE  LENGTH:  1 HR 


VENDOR 

Booz-AUen  & Hamilton  Inc. 

4330  East  West  Highway 
Bethesda,  MD  20814-4455 
Victor  Marshall 
(301)  951-4672 

The  purpose  of  this  course  is  to  provide  participants  with  an 
awareness  of  computer  security,  to  sensitize  them  to  the  need  for 
computer  security  policies  and  practices  in  the  workplace,  and  to 
motivate  each  individual  to  practice  effective  computer  security 
techniques.  The  instructional  content  of  the  course  is  composed 
ofirequirements  of  computer-security-related  laws  and  circulares; 
definitions  and  examples  of  basic  computer  security  terms;  the 
increasing  concern  to  protect  computer  assets;  and  basic 
computer  practices,  controls,  and  countermeasures. 

NOTEiContact  the  vendor  for  information  concerning  specialized 
agency  training. 

COURSE  ril'LE:  Microcomputer  Security 
COURSE  LENGTH:  2 HRS 

VENDOR 

Booz-AUen  & HamUton  Inc. 

4330  East  West  Highway 
Bethesda,  MD  20814-4455 
Victor  Marshall 
(301)  951-4672 

The  purpose  of  this  microcomputer  security  course  is  to  sensitize 
participants  to  the  need  for  microcomputer  security  and  to 
provide  each  individual  with  some  practical  tools  to  protect 
their  microcomputer  assets,  especiaUy  the  stored  information. 

The  course  provides  practical  information  on  computer  security 
that  microcomputer  users  can  implement  immediately. 
NOTEiContact  the  vendor  for  information  concerning  specialized 
agency  training. 
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COURSE  TITLE:  Computer  Security  Awareness 
COURSE  LENGTH:  5-8  HRS 


VENDOR 

DPEC 

1679  Old  Henderson  Road 
Columbus,  OH  43220-3644 
(800)  223-3732 

This  is  a Computer  Based  Training  (CBT)  course  using  the 
framework  of  administrative,  physical  and  logical  security. 

Computer  Security  Awareness  explains  contingency  planning  and 
precautions  against  computer  crime  from  the  viewpoint  of 
mainframe  computers  and  micros;  a computer  security  checklist  is 
included.  This  is  a modular  course  lasting  5-8  hours.  The 
number  of  hours  is  based  upon  a student  interacting  with 
approximately  60-120  screens  per  hour. 

COURSE  ITI  LE:  Introduction  to  Computer  Security  for  First-Level  Supervisors 
COURST  LENGTH:  8 HRS 

VENDOR 


This  program  is  designed  for  fost-level  supervisors  and  emphasizes  the  role  of  the  supervisor 
in  implementing  and  managing  computer  security  programs.  The  course  discusses  approached 
for  instilling  security  awareness  in  staff,  tgraining,  security  administration,  and  incident 
management  and  reporting.  An  overview  of  threats,  protection  strategies,  and  implementation 
of  policies  and  procedures  is  presented. 
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SECURITY  PLANNING  AND  MANAGEMENT 
FOR  PROGRAM  AND  FUNCTIONAL  MANAGERS 


COURSE  ITl  LE:  Managing  Org-Wide  Information  Security  Program 
COURSE  LENGTH:  3 DAY 

VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

This  program  examines  key  issues  in  building  and  maintaining  a 
security  program  that  serves  more  than  one  division...a  program 
that  cuts  across  traditional  boundaries  and  must  deal  with 
geographically  and  organizationally  distinct  units.  Practical, 
cost-effective  ideas  on  how  to  structure  a plan,  tools  for 
evaluating  risks  and  safeguards,  and  ways  to  encourage 
participation  and  commitment  from  all  levels  of  the  organization. 

Legislative  and  regulatory  pressures  including  but  not  limited  to 
the  Foreign  Corrupt  Practices  Act,  copyright  protection,  and  the 
Computer  Security  Act  of  1987.  Take-home  materials  include 
articles,  checklists,  forms,  and  information  sources. 

COURSE  TITLE:  Computer  Security  for  Security  & ADP  Program  Managers 
COURSE  LENGTH:  3 DAY 

VENDOR 

Department  of  Justice  Training  Center 
Suite  304,  Indiana  Building 
633  Indiana  Avenue,  NW 
Washington,  DC  20530 
(202)  307-0528 

This  course  is  designed  for  ADP  program  managers  and  computer 
security  program  managers.  It  provides  an  overview  of  Public  Law 
100-235  and  other  laws  and  requirements  for  computer  security. 

Emphases  will  be  on  the  concepts  and  methodologies  for  developing 
computer  security  programs  and  the  Department’s  policies  regarding 
computer  and  information  security  as  a background  to  securing  the 
Department’s  information  resources.  The  objective  is  to  provide  a 
comprehensive  understanding  of  the  full  range  of  the  potential  threat 
and  the  effectiveness  of  alternative  security  controls  against  different 
threats.  Spaces  available  to  other  federal  agencies. 
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COURSE  'ITl'LE:  Building  Information  Security  Awareness 
COURSE  LENGTH:  2 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

This  seminar  shows  how  to  "educate"  managers,  users,  and  DP 
personnel  on  the  importance  of  protecting  mformation  resources. 
Top  managers  need  to  know  in  macro,  bottom-line  terms.  Data 
security  professionals  need  detailed  technical  training. 

Computer  users,  operators,  and  programmers  must  be  shown  what 
they  can  do  on  a day-to-day  operational  basis.  This  program 
delivers  practical  ideas  and  techniques  on  how  to  tailor  a 
computer  security  training/orientation  program  to  each  of  these 
diverse  groups.  You  will  learn  how  to  plan  a program.  You  wiU 
be  shown  what  types  of  information  should  be  gathered  for 
presentation,  how  it  should  be  logically  organized  for  maximum 
impact,  and  which  meeting  and  presentation  techniques  are  most 
effective.  And  finally,  you  will  be  given  specific  ideas  on  how 
to  measure  the  effectiveness  of  your  security  awareness  program. 
As  a "deliverable,"  you  wiU  develop  an  individualized  training 
plan  to  be  used  in  your  own  environment 
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COURSE  ITl'LE:  Developing  Computer  Security  Policy  & Procedures 
COURSE  LENGTH:  2 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

This  seminar  is  for  DP  managers,  data  security  managers,  and 
security  officers  responsible  for  developing  computer  security 
policies  and  procedures  and  integrating  them  into  a comprehensive 
data  processing  security  manual.  You  will  learn  how  to  determine 
what  policies  are  needed,  what  areas  a manual  should  cover,  and 
how  to  gather  the  necessary  information.  Two  different 
approaches  - step-by-step  "cookbook"  procedures  vs.  more 
generalized  policy  statements.  How  to  establish  working  liaisons 
with  support  staff  in  other  areas,  what’s  needed  to  get  your 
policies  and  manual  reviewed  and  approved,  and  pitfalls  that  must 
be  avoided.  Critique  actual  samples  of  procedures  and  policies 
currently  in  use. 


COURSE  TITLE:  LAN  Security 
COURSE  LENGTH:  2 DAY 

VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

Local  area  networks  (LANs)  are  significantly  impacting  the  way 
organizations  do  business.  As  more  and  more  critical  work 
migrates  from  mainframes  to  LANs,  the  need  for  better  controls 
becomes  apparent.  Learn  about  the  security  and  control  issues 
involved  with  LANs;  the  types  of  critical  and  sensitive  data  now 
residing  on  LANs;  the  impact  of  loss,  change  or  disclosure;  and 
realistic  remedies  for  identified  vulnerabihties.  How 
transition  technologies,  topologies,  and  architectures  create 
complex  security,  recovery,  and  integrity  problems.  Security 
features  of  popular  LAN  systems  software  and  add-on  packages. 
The  need  for  policies,  procedures,  and  administrative  controls. 
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COURSE  rrrLE:  Protecting  Networks  & Small  Systems 
COURSE  LENGTH:  3 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

Widespread  use  of  microcomputers  and  telecommunications 
technology  offers  greater  opportunities  for  increasing 
white-collar  productivity.. .and  the  risk  that  this  technology 
will  proliferate  out  of  control.  This  seminar  provides  a 
seciuity  and  control  perspective  of  the  opportunities  and 
pitfalls  in  this  new  environment.  It  will  be  valuable  for  data 
processing  management,  communications  management  and  specialists, 
office  automation  management,  EDP  auditors,  security  officers, 
and  users  of  small  systems.  Participants  are  encouraged  to  bring 
a list  of  specific,  relevant  security  problems  currently  being 
faced  within  their  own  organizations.  Selected  "cases"  will  be 
analyzed  and  discussed. 
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COURSE  TITLE:  Computer  Viruses,  Troj  Horses,  and  Logic  Bombs 
COURSE  LENGTH:  2 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

This  seminar  examines  the  insidious  threats  to  computer  systems 
posed  by  malicious  programming,  including  viruses,  Trojan  horses, 
worms,  logic  bombs,  and  trap  doors.  We  will  examine  the  broad 
spectrum  of  harmful  code,  the  people  who  create  it,  how  viruses 
get  into  systems,  demonstrations  of  illicit  programs,  and 
countermeasures.  The  impact  of  malignant  programming  extends 
well  beyond  any  immediate  file  damage.  Hidden  losses,  such  as 
reconstruction  of  programs  and  data,  and  exhaustive  detective 
work  may  be  necessary.  What  types  of  people  would  infect  our 
systems.. ..are  they  employees,  competitors,  outsiders?  We  will 
review  the  latest  legal  cases  relating  to  viruses  and  logic 
bombs.  Examples  of  anti-virus  software  - what  these  "digital 
pharmaceuticals"  can  and  cannot  do.  Realistic  approaches  for 
controlling  the  problem,  and  solutions  which  have  worked.  Note: 
Attendees  are  encouraged  to  provide  examples,  from  their  own 
experience,  of  destructive  programming  threats  and  effective 
technical  and  administrative  countermeasures  they  have  used. 


39 


COURSE  ITILE:  Computer  Security  For  Managers 
COURSE  LENGTH:  1 DAY 


VENDOR 

USDA,  Graduate  School 
600  Maryland  Ave,  SW 
Washington,  DC  20024 
(202)  447-7124 

This  workshop  wiU  show  you  how  to  develop  computer  security 
awareness  for  end-users,  and  your  role  in  program  management, 
planning,  personnel  security,  contingency  planning,  and  the 
systems  development  life  cycle.  We  will  briefly  review  the 
Computer  Security  Act  of  1987,  and  cover  threats  to,  and 
vulnerabilities  of,  computer  systems  and  appropriate  safeguards, 
and  various  approaches  to  risk  assessment.  You  will  receive 
checklists  and  suggestions  for  becoming  more  aware  of  possible 
computer  security  problems  in  your  office,  and  you  will  be  able 
to  get  advice  on  how  to  deal  with  concerns  that  are  specific  to 
your  agency  or  installation. 


COURSE  riTLE:  DSR:No  FaU  Methodology  For  Data  Security  Review 
COURSE  LENGTH:  3 DAY 

VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

The  DSR  is  a unique  and  tested  data  security  review  methodology 
that  provides  an  organization  with  a comprehensive,  usable 
analysis  and  evaluation  of  its  data  security  environment.  If  you 
have  been  using  an  unscientific  approach  to  review  data  security, 
you  will  appreciate  DSR  and  this  seminar’s  step-by-step 
application  of  its  stmctured  methodology.  You  will  use  DSR  and 
its  technical  documentation  to  conduct  an  actual  data  security 
review.  The  session’s  "hands-on"  approach  assures  that  you  take 
back  to  the  job  a cohesive  and  cost-effective  data  security 
program  and  a supporting  action  plan. 
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COURSE  ITl  LE:  Information  Risk  Assessment  & Security  Management 
COURSE  LENGTH:  1 SEMESTER 


VENDOR 

University  of  Maryland, University  Coll 
University  Boulevard  at  Adelphi  Road 
College  Park,  MD  20742-1614 
(301)  985-7155 

An  examination  of  the  proliferation  of  corporate  data  bases  and 
the  development  of  telecommunications  network  technology  as 
gateways  or  invitations  to  intrusion.  Ways  of  investigating  the 
management  of  the  risk  and  security  data  and  data  systems  are 
presented  as  a function  of  design  through  recovery  and 
protection.  Issues  of  risk  and  security,  as  they  relate  to 
specific  industries  and  government,  are  major  topics  in  the 
course.  Examples  are  presented  of  how  major  technological 
advances  in  computer  and  operating  systems  have  placed  data,  as 
tangible  corporate  assets,  at  risk.  Both  quantitative  sampling 
techniques  for  risk  assessment  and  for  qualitative 
decision-making  under  uncertainty  are  explored. 
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COURSE  TITLE:  Information  Systems  Seminar  For  Internal  Auditors 
COURSE  LENGTH:  5 DAY 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

This  introductory  seminar  of  computer  concepts  and  controls  is 
designed  for  the  MIS  or  internal  auditing  professional  who  needs 
to  learn  about  basic  computer  concepts,  computer  controls  and 
security,  system  life  cycle  planning  and  control,  and  contingency 
planning.  Individuals  with  these  backgrounds  who  complete  this 
seminar  will  be  exposed  to  every  major  aspect  of  information 
systems  auditing  and  should  be  able,  with  the  tools  provided  in 
the  seminar,  to  perform  basic  IS  Audits.  In  addition,  the 
seminar  will  emphasize  how  ISA  is  integrated  with  the  internal 
audit  process.  This  is  a five-day,  classroom  program  consisting 
of  stand-alone  modules  that  can  be  presented  as  a whole  or 
modules  can  be  selected  to  provide  training  on  specific  subjects 
in  shorter-duration  programs.  CaU  the  vendor  for  more 
information  regarding  the  following  modules  that  have  been 
selected  for  this  particular  training  area: 

Module  3-Getting  Started 

Module  4-Planning  the  IS  Audit 

Module  5-C)verview  of  the  ISA  Function 

Module  7- A Management  Approach  to  Computer  Fraud 

Module  8-Introduction  to  General  Controls 

Module  23-Introduction  to  Application  Control  Reviews 
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COURSE  TITLE:  EDP  Concepts  For  Business 
COURSE  LENGTH:  SELF-PACED 

VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

EDP  Concepts  for  Business  is  an  interactive  computer-based 
training  (CBT)  program.  The  student  receives  information  and  is 
coached  based  upon  the  answers  to  teaching  questions.  This  was 
designed  to  involve  the  student,  be  flexible,  and  be  responsive 
to  the  student’s  needs;  this  format  focuses  on  the  student.  You 
need  only  an  IBM  PC,  XT,  AT  or  any  IBM-compatible  microcomputer 
with  at  least  192K  memory.  CaU  the  vendor  for  more  information 
regarding  the  following  module  that  has  been  selected  for  this 
particular  training  area: 

Module  6-Access  Control  and  Security 


43 


COMPUTER  SECURITY  POLICY  AND  PROCEDURES 
FOR  PROGRAM  AND  FUNCTIONAL  MANAGERS 


COURSE  TITLE:  Building  Information  Security  Awareness 
COURSE  LENGTH:  2 DAY 

VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

This  seminar  shows  how  to  "educate"  managers,  users,  and  DP 
personnel  on  the  importance  of  protecting  information  resources. 
Top  managers  need  to  know  in  macro,  bottom-line  terms.  Data 
security  professionals  need  detailed  technical  training. 

Computer  users,  operators,  and  programmers  must  be  shown  what 
they  can  do  on  a day-to-day  operational  basis.  This  program 
delivers  practical  ideas  and  techniques  on  how  to  tailor  a 
computer  security  training/orientation  program  to  each  of  these 
diverse  groups.  You  will  learn  how  to  plan  a program.  You  will 
be  shown  what  types  of  information  should  be  gathered  for 
presentation,  how  it  should  be  logically  organized  for  maximum 
impact,  and  which  meeting  and  presentation  techniques  are  most 
effective.  And  finally,  you  will  be  given  specific  ideas  on  how 
to  measure  the  effectiveness  of  your  security  awareness  program. 
As  a "deliverable,"  you  wiU  develop  an  individualized  training 
plan  to  be  used  in  your  own  environment 
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COURSE  TITLE:  Developing  Computer  Security  Policy  & Procedures 
COURSE  LENGTH:  2 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

This  seminar  is  for  DP  managers,  data  security  managers,  and 
security  officers  responsible  for  developing  computer  security 
policies  and  procedures  and  integrating  them  into  a comprehensive 
data  processing  security  manual.  You  will  learn  how  to  determine 
what  policies  are  needed,  what  areas  a manual  should  cover,  and 
how  to  gather  the  necessary  information.  Two  different 
approaches  - step-by-step  "cookbook"  procedures  vs.  more 
generalized  policy  statements.  How  to  establish  working  liaisons 
with  support  staff  in  other  areas,  what’s  needed  to  get  your 
policies  and  manual  reviewed  and  approved,  and  pitfalls  that  must 
be  avoided.  Critique  actual  samples  of  procedures  and  policies 
currently  in  use. 


COURSE  TITLE:  LAN  Security 
COURSE  LENGTH:  2 DAY 

VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

Local  area  networks  (LANs)  are  significantly  impacting  the  way 
organizations  do  business.  As  more  and  more  critical  work 
migrates  from  mainframes  to  LANs,  the  need  for  better  controls 
becomes  apparent.  Learn  about  the  security  and  control  issues 
involved  with  LANs;  the  types  of  critical  and  sensitive  data  now 
residing  on  LANs;  the  impact  of  loss,  change  or  disclosure;  and 
realistic  remedies  for  identified  vulnerabilities.  How 
transition  technologies,  topologies,  and  architectures  create 
complex  security,  recovery,  and  integrity  problems.  Security 
features  of  popular  LAN  systems  software  and  add-on  packages. 
The  need  for  policies,  procedures,  and  administrative  controls. 
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COURSE  TITLE:  Protecting  Networks  & Small  Systems 
COURSE  LENGTH:  3 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

Widespread  use  of  microcomputers  and  telecommunications 
technology  offers  greater  opportunities  for  increasing 
white-collar  productivity.. .and  the  risk  that  this  technology 
will  proliferate  out  of  control.  This  seminar  provides  a 
security  and  control  perspective  of  the  opportunities  and 
pitfalls  in  this  new  environment.  It  will  be  valuable  for  data 
processing  management,  communications  management  and  specialists, 
office  automation  management,  EDP  auditors,  security  officers, 
and  users  of  small  systems.  Participants  are  encouraged  to  bring 
a list  of  specific,  relevant  security  problems  currently  being 
faced  within  their  own  organizations.  Selected  "cases"  wiU  be 
analyzed  and  discussed. 
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COURSE  TITLE:  Computer  Viruses,  Troj  Horses,  and  Logic  Bombs 
COURSE  LENGTH:  2 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

This  seminar  examines  the  insidious  threats  to  computer  systems 
posed  by  malicious  programming,  including  viruses,  Trojan  horses, 
worms,  logic  bombs,  and  trap  doors.  We  will  examine  the  broad 
spectrum  of  harmful  code,  the  people  who  create  it,  how  viruses 
get  into  systems,  demonstrations  of  Dlicit  programs,  and 
countermeasures.  The  impact  of  malignant  programming  extends 
weU  beyond  any  immediate  file  damage.  Hidden  losses,  such  as 
reconstruction  of  programs  and  data,  and  exhaustive  detective 
work  may  be  necessary.  What  types  of  people  would  infect  our 
systems.. ..are  they  employees,  competitors,  outsiders?  We  will 
review  the  latest  legal  cases  relating  to  viruses  and  logic 
bombs.  Examples  of  anti-virus  software  - what  these  "digital 
pharmaceuticals"  can  and  cannot  do.  Realistic  approaches  for 
controlling  the  problem,  and  solutions  which  have  worked.  Note: 
Attendees  are  encouraged  to  provide  examples,  from  their  own 
experience,  of  destructive  programming  threats  and  effective 
technical  and  administrative  countermeasures  they  have  used. 
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COURSE  ITILE:  Computer  Security 
COURSE  LENGTH:  5 DAY 


VENDOR 

GSA  Training  Center 
P.O.  Box  15608 
Arlington,  VA  22215-0608 
(703)  557-0885 

Participants  learn  about  federal  computer  security  regulations 
and  guidelines  and  their  implementation  in  government  agencies. 
Topics  include:  a threat  overview,  national  computer  security 
policies,  an  overview  of  the  National  Institute  of  Standards  and 
Technology  and  the  National  Computer  Security  Center,  physical 
security  considerations,  microcomputer  security  considerations, 
introduction  to  risk  assessment,  qualitative  risk  assessment, 
quantitative  risk  assessment,  other  risk  assessment 
methodologies,  contingency  planning,  design  reviews  and  system 
tests,  and  security  certification  and  accreditation. 

COURSE  TITLE:  Information  Security  And  Policy 
COURSE  LENGTH:  1 SEMESTER 

VENDOR 

George  Washington  University/GSAS 
2000  G Street,  NW 
Washington,  DC  20077-2685 
(202)  994-7061 

Computer  fraud  and  effective  countermeasures  for  computer  system 
security.  The  social  and  legal  environment  of  information 
systems,  including  data  privacy  and  ethics  in  database 
management  Information  access  policy,  data  security,  contracts. 
Antitrust  and  other  business  implications  of  policies, 
transborder  data  flow,  technology  transfer,  electronic  funds 
transfer  systems,  criminal  justice  information  systems, 
cross-cultural  differences,  computer  infringement  of  copyright, 
and  protection  or  property  rights  in  software.  Prerequisite: 

AdSc  202  and  203. 
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COURSE  TITLE:  Information  Risk  Assessment  & Security  Management 
COURSE  LENGTH:  1 SEMESTER 


VENDOR 

University  of  Maryland, University  Coll 
University  Boulevard  at  Adelphi  Road 
CoUege  Park,  MD  20742-1614 
(301)  985-7155 

An  examination  of  the  proliferation  of  corporate  data  bases  and 
the  development  of  telecommunications  network  technology  as 
gateways  or  invitations  to  intrusion.  Ways  of  investigating  the 
management  of  the  risk  and  security  data  and  data  systems  are 
presented  as  a function  of  design  through  recovery  and 
protection.  Issues  of  risk  and  security,  as  they  relate  to 
specific  industries  and  government,  are  major  topics  in  the 
course.  Examples  are  presented  of  how  major  technological 
advances  in  computer  and  operating  systems  have  placed  data,  as 
tangible  corporate  assets,  at  risk.  Both  quantitative  sampling 
techniques  for  risk  assessment  and  for  qualitative 
decision-making  under  uncertainty  are  explored. 


49 


COURSE  TITLE:  UNIX  Systems  Security 
COURSE  LENGTH:  3 DAY 


VENDOR 

Trainix 

1686  Bismark  Drive 
Deltona,  FL  32723 
(904)  789-1769 

This  course  discusses  UNIX  security  and  how  system  managers  and 
administrators  can  implement  security  measures  on  UNIX.  The 
focus  of  the  course  is  on  the  inherent  security  vulnerabilities 
commonly  found  on  UNIX  systems  and  how  to  correct  them.  Examples 
are  presented  which  illustrate  how  to  insure  a high  level  of 
security  confidence  against  unauthorized  users  from  accessing  the 
system.  The  common  methods  used  to  penetrate  UNIX  systems,  gain 
unauthorized  root  access  permission,  become  another  user,  plant 
trojan  horses  or  spoofs,  and  other  ways  of  circumventing  the 
normal  system  protection  are  disclosed.  Each  attendee  wUl 
receive  detailed  audit  checklists  and  a diskette  containing  UNIX 
shell  and  C programs  which  will  assist  in  performing  security 
auditing  and  risk  analysis.  Prerequisites:  UXOOl -Fundamentals  of 
UNIX  and  UX006-UNIX  System  Administration.  A knowledge  of  Shell 
and  C programming  is  helpful. 
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COURSE  TITLE:  Information  Systems  Seminar  For  Internal  Auditors 
COURSE  LENGTH:  5 DAY 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

This  introductory  seminar  of  computer  concepts  and  controls  is 
designed  for  the  MIS  or  internal  auditing  professional  who  needs 
to  learn  about  basic  computer  concepts,  computer  controls  and 
security,  system  life  cycle  planning  and  control,  and  contingency 
planning.  Individuals  with  these  backgrounds  who  complete  this 
seminar  will  be  exposed  to  every  major  aspect  of  information 
systems  auditing  and  should  be  able,  with  the  tools  provided  in 
the  seminar,  to  perform  basic  IS  Audits.  In  addition,  the 
seminar  will  emphasize  how  ISA  is  integrated  with  the  internal 
audit  process.  This  is  a five-day,  classroom  program  consisting 
of  stand-alone  modules  that  can  be  presented  as  a whole  or  in 
shorter-duration  programs.  Call  the  vendor  for  more  information 
regarding  the  following  modules  that  have  been  selected  for  this 
particular  training  area: 

Module  6-Overview  of  Computer  Operations 
Module  9-Organization  and  Administration 
Module  10- System  Development  Life  Cycle 
Module  11 -Change  Control  and  Management 
Module  13-"The  Time  Bomb" 

Module  14-Access  Control 
Module  16-Program  Execution 
Module  17-Continuity  of  Operations 
Module  20-Data  Bases 
Module  21 -Minicomputer  Systems 
Module  22-Microcomputer  Systems 
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COURSE  ni  LE:  EDP  Concepts  For  Business 
COURSE  LENGTH:  SELF-PACED 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

EDP  Concepts  for  Business  is  an  interactive  computer-based 
training  (CBT)  program.  The  student  receives  information  and  is 
coached  based  upon  the  answers  to  teaching  questions.  This  was 
designed  to  involve  the  student,  be  flexible,  and  be  responsive 
to  the  student’s  needs;  this  format  focuses  on  the  student.  You 
need  only  an  IBM  PC,  XT,  AT,  or  any  IBM-compatible  microcomputer 
with  at  least  192K  memory.  Call  the  vendor  for  more  information 
regarding  the  following  modules  that  have  been  selected  for  this 
particular  training  area: 

Module  2-Data  and  Data  Processing 
Module  3-Programs  and  Languages 


COURSE  ITILE:  Microcomputer  Security 
COURSE  LENGTH:  2 HRS 

VENDOR 

Booz-Allen  & Hamilton  Inc. 

4330  East  West  Highway 
Bethesda,  MD  20814-4455 
Victor  Marshall 
(301)  951-4672 

The  purpose  of  this  microcomputer  security  course  is  to  sensitize 
participants  to  the  need  for  microcomputer  security  and  to 
provide  each  individual  with  some  practical  tools  to  protect 
their  microcomputer  assets,  especially  the  stored  information. 

The  course  provides  practical  information  on  computer  security 
that  microcomputer  users  can  implement  immediately. 

NOTE: Contact  the  vendor  for  information  concerning  specialized 
agency  training. 
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CONTINGENCY  PLANNING 
FOR  PROGRAM  AND  FUNCTIONAL  MANAGERS 


COURSE  TITLE:  Planning  An  EDP  Disaster  Recovery  Program 
COURSE  LENGTH:  3 DAY 

VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

This  seminar  examines  the  critical  components  of  the  disaster 
recovery  planning  process  in  detail  and  offers  a practical 
framework  for  implementing  a disaster  recovery  program.  A "big 
think"  approach  is  required,  because  recovery  planning  is 
tedious,  time-consuming,  and  requires  management  commitment  plus 
cooperation  from  all  levels  of  user  personnel.  Less  than  20%  of 
the  top  1,000  U.S.  firms  have  workable  EDP  disaster  recovery 
plans  that  have  been  successfully  tested.  Indeed,  many 
organizations  today  have  no  formal  plans  at  all.  Some  have  tried 
to  formulate  a plan  but  failed  because  they  underestimated  the 
scope  and  complexity  of  the  task.  Although  a 3-day  seminar 
cannot  provide  all  the  details  necessary  for  a comprehensive 
program,  this  seminar  will  give  you  a firm  grounding  in  the 
knowledge  and  skills  needed  for  a successful  disaster  recovery 
planning  effort. 
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COURSE  ITI  LE:  How  To  Develop  A Disaster  Recovery  Plan 
COURSE  LENGTH:  2 DAY 


VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

This  intensive  seminar  provides  proven  techniques  for  creating, 
implementing,  and  maintaining  an  effective  EDP  disaster  recovery 
plan.  You  will  learn  the  key  components  of  disaster  recovery 
planning,  how  to  create  and  test  a disaster  recovery  plan,  the 
emergency  plan,  backup  procedures,  and  critical  application 
analysis.  We  will  use  concrete  examples  of  major  tasks, 
including  implementing  escalation  procedures,  managing  the 
recovery  process,  and  integrating  plan  maintenance  into  the 
Systems  Development  Life  Cycle. 

COURSE  TITLE:  Information  Systems  Seminar  For  Internal  Auditors 
COURSE  LENGTH:  5 DAY 

VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 


This  introductory  seminar  of  computer  concepts  and  controls  is 
designed  for  the  MIS  or  internal  auditing  professional  who  needs 
to  learn  about  basic  computer  concepts,  computer  controls  and 
security,  system  life  cycle  planning  and  control,  and  contingency 
planning.  Individuals  with  these  backgrounds  who  complete  this 
seminar  will  be  exposed  to  every  major  aspect  of  information 
systems  auditing  and  should  be  able,  with  the  tools  provided  in 
the  seminar,  to  perform  basic  IS  Audits.  In  addition,  the 
seminar  will  emphasize  how  ISA  is  integrated  with  the  internal 
audit  process.  This  is  a five-day,  classroom  program  consisting 
of  stand-alone  modules  that  can  be  presented  as  a whole  or  in 
shorter-duration  programs.  Call  the  vendor  for  more  information 
regarding  the  following  modules  that  have  been  selected  for  this 
particular  training  area: 

Module  8-Introduction  to  General  Controls 
Module  17-Continuity  of  Operations 
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COURSE  ITI  LE:  EDP  Concepts  For  Business 
COURSE  LENGTH:  SELF-PACED 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

EDP  Concepts  for  Business  is  an  interactive  computer-based 
training  (CBT)  program.  The  student  receives  information  and  is 
coached  based  upon  the  answers  to  teaching  questions.  This  was 
designed  to  involve  the  student,  be  flexible,  and  be  responsive 
to  the  student’s  needs;  this  format  focuses  on  the  student.  You 
need  only  an  IBM  PC,  XT,  AT,  or  any  IBM-compatible  microcomputer 
with  at  least  192K  memory.  Call  the  vendor  for  more  information 
regarding  the  following  module  that  has  been  selected  for  this 
particular  training  area; 

Module  6-Access  Control  and  Security 


COURSE  ITlLE:  Microcomputer  Security 
COURSE  LENGTH:  2 HRS 

VENDOR 

Booz- Allen  & Hamilton  Inc. 

4330  East  West  Highway 
Bethesda,  MD  20814-4455 
Victor  Marshall 
(301)  951-4672 

The  purpose  of  this  microcomputer  security  course  is  to  sensitize 
participants  to  the  need  for  microcomputer  security  and  to 
provide  each  individual  with  some  practical  tools  to  protect 
their  microcomputer  assets,  especially  the  stored  information. 

The  course  provides  practical  information  on  computer  security 
that  microcomputer  users  can  implement  immediately. 
NOTErContact  the  vendor  for  information  concerning  specialized 
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SYSTEMS  LIFE  CYCLE  MANAGEMENT 
FOR  PROGRAM  AND  FUNCTIONAL  MANAGERS 


COURSE  TITLE:  UPS:Design,  Selection  and  Specification 
COURSE  LENGTH:  2 DAY 

VENDOR 

University  of  Wisconsin,  Milwaukee 
929  North  6th  Street 
Milwaukee,  WI  53203 
(800)  222-3623 

Program  objectives  of  this  institute  will  have  been  accomplished 
if,  upon  completion,  the  attendee  can  answer  satisfactorily  the 
following  questions:  Where  is  UPS  needed?  When  is  UPS  needed? 
Should  the  system  be  redundant?  How  should  components  be  chosen? 
How  is  a system  designed?  What  level  of  protection  is 
appropriate?  What  are  the  system  maintenance  requirements?  What 
grounding  and  noise  problems  need  consideration?  How  can 
satisfactory  performance  be  achieved  while  satisfying  the  NEC? 
NOTE:Previous  attendees  will  find  that  material  has  been  added  to 
the  program  since  they  last  attended. 
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COURSE  TITLE:  Information  Systems  Seminar  For  Internal  Auditors 
COURSE  LENGTH:  5 DAY 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 


This  introductory  seminar  of  computer  concepts  and  controls  is 
designed  for  the  MIS  or  internal  auditing  professional  who  needs 
to  learn  about  basic  computer  concepts,  computer  controls  and 
security,  system  life  cycle  planning  and  control,  and  contingency 
planning.  Individuals  with  these  backgrounds  who  complete  this 
seminar  will  be  exposed  to  every  major  aspect  of  information 
systems  auditing  and  should  be  able,  with  the  tools  provided  in 
the  seminar,  to  perform  basic  IS  Audits.  In  addition,  the 
seminar  will  emphasize  how  ISA  is  integrated  with  the  internal 
audit  process.  This  is  a five-day,  classroom  program  consisting 
of  stand-alone  modules  that  can  be  presented  as  a whole  or  in 
shorter-duration  programs.  CaU  the  vendor  for  more  information 
regarding  the  following  modules  that  have  been  selected  for  this 
particular  training  area: 

Module  8-Introduction  to  General  Controls 
Module  10-System  Development  Life  Cycle 
Module  11 -Change  Control  and  Management 
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COURSE  TITLE:  EDP  Concepts  For  Business 
COURSE  LENGTH:  SELF-PACED 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviHe,  KY  40232-9691 
(800)  289-5745 

EDP  Concepts  for  Business  is  an  interactive  computer-based 
training  (CBT)  program.  The  student  receives  information  and  is 
coached  based  upon  the  answers  to  teaching  questions.  This  was 
designed  to  involve  the  student,  be  flexible,  and  be  responsive 
to  the  student’s  needs;  this  format  focuses  on  the  student.  You 
need  only  an  IBM  PC,  XT,  AT,  or  any  IBM-compatible  microcomputer 
with  at  least  192K  memory.  Call  the  vendor  for  more  information 
regarding  the  following  module  that  has  been  selected  for  this 
particular  training  area: 

Module  4-The  System  Development  Life  Cycle 


COURSE  ITI  LE:  Computer  Security  In  Application  Software 
COURSE  LENGTH:  2 DAY 

VENDOR 

Booz-Allen  & Hamilton  Inc. 

4330  East  West  Highway 
Bethesda,  MD  20814-4455 
Victor  Marshall 
(301)  951-4672 

This  course  presents  a logical  sequence  of  overall  computer 
security  activities  during  the  application  development  life 
cycle.  The  course  will  assist  application  developers,  sponsors, 
and  owners  in  identifying  security  activities  that  should  be 
considered  for  applications,  whether  they  are  being  developed, 
significantly  enhanced,  or  routinely  debugged.  This  course  is 
primarily  intended  for  application  software  managers  and  support 
personnel. 

NOTE:Contact  the  vendor  for  information  concerning  specialized 
agency  training. 
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COMPUTER  SECURITY  BASICS 
FOR  IRM,  SECURITY,  AND  AUDIT 


COURSE  TITLE:  Becoming  An  Effective  Data  Security  Officer 
COURSE  LENGTH:  3 DAY 

VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

As  a Data  Security  Officer,  you  may  be  responsible  for  creating  a 
data  security  program  or  administering  and  improving  one  already 
in  place.  To  a great  extent,  you  will  be  defining  your  own  role 
as  you  proceed.  But  where  do  you  begin?  What  skills  do  you  need 
to  do  the  job?  Where  do  you  get  the  information  to  enhance  your 
own  skills?  Who  are  the  "key  players"  within  your  organization, 
and  how  do  you  get  them  committed  to  making  security  happen? 
What  are  the  advantages  of  the  job?  The  disadvantages?  How  have 
others  succeeded,  and  what  pitfalls  should  you  avoid?  This 
practical  3-day  program  will  deliver  the  know-how  to  help  you 
become  a more  effective,  proficient,  and  successful  Data  Security 
Officer. 


COURSE  ITI  LE:  Computer  Security  For  End  Users 
COURSE  LENGTH:  1 DAY 

VENDOR 

USDA,  Graduate  School 
600  Maryland  Ave,  SW 
Washington,  DC  20024 
(202)  447-7124 

This  workshop  will  give  you  an  overview  of  the  threats  to,  and 
vulnerabilities  of,  computer  systems,  and  appropriate  safeguards 
to  protect  those  systems.  We  wiU  stress  your  role  in  the 
protection  of  sensitive  data,  and  in  the  prevention  and  detection 
of  computer  crime.  You  wiU  receive  checklists  and  suggestions 
for  becoming  more  aware  of  possible  computer  security  problems  in 
your  office,  and  you  wtil  be  able  to  get  advice  on  how  to  deal 
with  concerns  that  are  specific  to  your  agency  or  installation. 
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COURSE  TITLE:  Computer  Security  Awareness  Training 
COURSE  LENGTH:  3 HRS 


VENDOR 

GSA  Training  Center 
P.O.  Box  15608 
Arlington,  VA  22215-0608 
(703)  557-0885 

Participants  learn  to  be  aware  of  threats  to  and  vulnerabilities 
of  computer  systems,  as  well  as  to  encourage  use  of  improved 
security  practices.  Topics  include:  Computer  Security  Act  of 
1987;  computer  fraud,  waste,  and  abuse;  and  types  of  computer 
hackers.  Also  discussed  are  natural  disasters  and  human  errors 
relating  to  computer  security. 


COURSE  ITl  LE:  Auditing  Fraud:  Prevent,  Detect,  & Control 
COURSE  LENGTH:  3 DAY 

VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

Internal  auditors  are  relied  upon  more  and  more  to  recognize  the 
characteristics  of  potentially  fraudulent  activities,  and  to  be 
knowledgeable  about  where  fraud  is  most  likely  to  occur  in  the 
organization.  This  intensive  seminar  examines  where  and  why  all 
types  of  fraud  occur,  including  white  collar  crime,  computer 
fraud,  insider  fraud,  and  external  fraud.  In  this  session  you 
will  learn  to  recognize  red  flag  areas  of  fraud  and  strategies 
for  reducing  it.  This  seminar  is  your  short  cut  to  learning  how 
to  incorporate  prevention,  detection,  and  prosecution  of  fraud 
into  your  annual  audit  plans. 
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COURSE  TITLE:  OS/MVS  Op  Sys:Seciirity/Audit  Facilities 
COURSE  LENGTH:  3 DAY 


VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

This  course  covers  in  detail  the  facilities  available  within  MVS 
for  solving  audit  and  security  problems.  In  this  session  you 
will  learn  how  to  use  these  existing  software  tools  for  auditing 
the  operating  system  itself  as  weU  as  application  systems. 
Course  materials  include  a bibliography  of  IBM  manuals. 


COURSE  niLE:  Control,  Audit,and  Security  For  VM  Operating  Systmes 
COURSE  LENGTH:  3 DAY 

VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

In  this  seminar,  you  will  gain  the  technical  knowledge  and 
insight  necessary  to  conduct  an  independent  review  of  VM.  Topics 
included  cover  all  the  significant  audit  and  security  points  in 
VM  as  well  as  specific  tips  for  establishing  and  implementing 
sound  management  practices  for  the  VM  environment.  Participants 
should  have  a general  familiarity  with  VM. 

NOTE:  A CONTINUING  2-DAY  WORKSHOP  IS  ALSO  AVAILABLE. 
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COURSE  ITl  LE:  Audit,  Control,  and  Security  Of  AS/400 
COURSE  LENGTH:  3 DAY 


VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

In  this  seminar  you  will  learn  about  the  architecture,  security 
and  integrity  of  AS/400,  and  about  the  system’s  unique 
object-oriented  design  and  integrated  data  base  management  system 
(DBMS).  You  will  examine  the  impact  of  on-line  systems  on  the 
control  objectives  within  an  EDP  environment  in  general,  and  the 
security-related  concerns  and  control  objectives  specific  to 
AS/400.  You  will  leave  the  seminar  with  a methodology  and 
techniques  for  testing  AS/400. 

NOTE:  A CONTINUING  2-DAY  WORKSHOP  IS  ALSO  AVAILABLE. 


COURSE  ITILE:  CA-ACF2:Proper  Implementation  and  Security 
COURSE  LENGTH:  3 DAY 

VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

This  intensive  seminar  has  been  updated  to  cover  the  newest 
features  in  Release  5.2,  including  the  new  GROUP  feature  and 
major  changes  to  the  CA-ACF2/CICS  interface.  In  this  in-depth 
session  you  will  master  the  terms  and  concepts  you  need  to  know 
in  order  to  understand  how  CA-ACF2  protects  files  and  other 
resources  in  your  MVS  environment  You  will  discover  all  of  the 
important  testing  tools  available  in  this  security  package,  and 
how  to  use  them  effectively.  In  addition,  you  will  learn  how  to 
anticipate  the  deficiencies  most  commonly  found  in  CA-ACF2 
implementation  and  administration.  You  will  leave  this  intensive 
session  with  tips  for  demonstrating  risks  and  for  selling 
common-sense  recommendations  that  have  proven  track  records  for 
working.  The  course  materials  you  receive  will  include  an 
in-depth  audit  program  and  valuable  sample  reports. 

NOTE:  A CONTINUING  2-DAY  WORKSHOP  IS  AVAILABLE. 
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COURSE  TITLE:  RACFiProper  Implementation  and  Security 
COURSE  LENGTH:  3 DAY 

VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

This  course  introduces  you  to  the  facilities  of  RACE  that  have  an 
impact  upon  audit  and  control  objectives.  It  provides  a complete 
overview  of  all  important  functions  and  terminology  associated 
with  RACE.  You  will  learn  to  identify  how  RACE  functions  within 
your  MVS  installation  and  how  to  audit  its  use  and 
administration.  The  course  covers  the  Data  Security  Monitor  and 
other  Auditability  enhancements  in  versions  1.7  and  1.8.  You 
will  also  learn  the  internal  security  features  of  RACE  and  how 
you  can  conduct  tests  to  insure  that  control  and  audit  mechanisms 
are  implemented  properly.  The  seminar  outline  is  subject  to 
change  based  on  enhancements  and  changes  to  the  RACE  product. 
Participants  should  have  attended  OS/MVS  OperatingrSecurity  and 
Audit. 

NOTE:  A 2-DAY  WORKSHOP  IS  ALSO  AVAILABLE. 

COURSE  TITLE:  CA-TOP  Secret:Proper  Implementation  and  Security 
COURSE  LENGTH:  3 DAY 

VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

In  this  seminar  you  will  learn  the  functions  and  components  of 
TOP  SECRET  and  the  auditor  tools  within  TOP  SECRET  to  monitor  the 
effective  installation  and  on-going  functions  of  the  security 
system.  You  wiU  learn  all  the  important  features  of  TOP  SECRET 
and  their  relationship  to  the  MVS  operating  system.  The  workshop 
covers  the  audit  trails  produced  by  the  system  and  describes  how 
these  reports  can  be  used  as  an  effective  detective  control  for 
monitoring  both  authorized  and  unauthorized  access  to  system 
resources.  Participants  should  first  attend  OS/MVS  Operating 
System:Security  and  Audit. 

NOTE:  A 2-DAY  WORKSHOP  IS  ALSO  AVAILABLE. 
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COURSE  ITl’LE:  Omegamon: Audit  and  Security  Features 
COURSE  LENGTH:  3 DAY 

VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

Candle  Corporation’s  OMEGAMON  is  a leading-edge  product  used  to 
monitor  and  control  complex  MVS  environments.  Many  of  its  system 
functions  can  be  used  for  audit  and  security  purposes.  In  this 
seminar  you  will  learn  the  functions  and  components  of  OMEGAMON 
and  become  familiar  with  capabilities  within  OMEGAMON  MVS,  CICS, 
and  IMS  environments.  The  course  will  cover  internal  and 
external  security,  critical  commands,  and  audit  usage.  In  a 
"hands-on"  environment,  you  will  use  a microcomputer  model  of  the 
OMEGAMON  system  to  perform  critical  commands  and  audit  tests. 

The  course  will  enable  you  to  develop  a detailed  audit  program 
based  on  the  facilities  and  reporting  features  of  the  product. 

Participants  in  this  session  should  have  experience  in  MVS,  or 
should  have  attended  "Audit  and  Security  Concepts  for  MVS 
Operating  System." 

COURSE  ITf'LE:  Introduction  to  DEC’S  VAXA^S  Operating  System 
COURSE  LENGTH:  2 DAY 

VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

This  course  provides  a thorough  introduction  to  VAXA^S  from  the 
perspective  of  audit  and  security  personnel  who  need  access  to 
the  systems-dependent  facilities  of  VAXA^MS.  Through  case 
examples  you  will  see  demonstrated  the  major  features  of  VAXA'^MS, 
including  DCL,  utilities,  and  analysis  of  the  system.  This 
session  is  guaranteed  to  give  you  a basic  knowledge  of  the  VMS 
operating  system  and  a comfort  level  in  moving  around  it.  The 
facilities,  tools  and  techniques  taught  during  these  two  days 
will  dramatically  increase  your  understanding  of  and  productivity 
in  the  VMS  environment. 

NOTE:  ADVANCED  COURSE  AS  A FOLLOW-ON  ALSO  AVAILABLE. 
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COURSE  HILE:  Advanced  Audit,  Control,  and  Security/  DEC’S  VAX/VMS 
COURSE  LENGTH:  3 DAY 


VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

This  advanced  seminar  builds  on  the  concepts  and  facilities 
presented  in  "Introduction  to  DEC’S  VAX/VMS  Operating  System"  and 
focuses  on  the  critical  points  to  consider  when  auditing  VAX/VMS 
systems  and  applications.  You  will  come  away  with  a detailed 
understanding  of  the  VAX/VMS  architecture,  DCL  commands. 

Digital’s  Network  Architecture  (DNA),  and  VAX  built-in  and 
optional  security  features.  Emphasis  will  be  placed  on  important 
areas  for  audit  concentration  within  VMS  such  as  systems 
generation,  systems  dump  analyzer,  VMS  protection  and  privilege 
levels,  systems  and  user  logs,  and  DECnet  and  LAN  interfaces. 

Those  attending  should  have  experience  in  the  VAX/VMS 
environment,  or  should  have  attended  "Introduction  to  DEC’S 
VAX/VMS  Operating  System." 
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COURSE  TITLE:  Introduction  to  Computer  Security  for  Managers 
COURSE  LENGTH:  8 HRS 


VENDOR 

Department  of  Justice  Training  Center 
Suite  304,  Indiana  Building 
633  Indiana  Avenue,  NW 
Washington,  DC  20530 
(202)  307-0528 

This  program  is  designed  to  provide  mid-level  managers  with  an 
overview  of  computer  security  program  planning  and  management 
Presentation  will  emphasize  compliance  with  P.L.  100-235  and  other 
laws  and  requirements  for  classified  and  unclassified  systems. 
Discussion  will  emphasize  threats  against  sensitive  systems; 
capabilities  of  potential  adversaries;  asset  value;  sensitivity  and 
definition  of  protection  levels  appropriate  to  the  threat;  contingency 
planning;  and  management  risk  acceptance.  The  course  will  also  cover 
development  of  security  plans,  & implementing  computer  security 
programs  within  budget  and  staff  constraints.  The  objectives  are  to 
familiarize  mid-level  managers  with  computer  security  requirements  and 
responsibilities  and  to  increase  their  awareness  of  the  necessity  for 
computer  security.  Spaces  are  available  to  other  federal  agencies. 
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COURSE  TITLE:  Tandem  Security  and  Control 
COURSE  LENGTH:  2 DAY 


VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

Tandem  computers  are  widely  used  in  the  banking  and  financial 
services  industries  to  support  Electronic  Funds  Transfer  (EFT) 
systems.  Retail  EFT  applications,  used  primarily  as  ATM  and  POS 
drivers,  process  transactions  that  are  high  in  volume  and  carry  a 
moderate  individual  dollar  value.  Wholesale  EFT  applications 
used  for  wire  transfers  process  a moderate  volume  of  transactions 
but  at  an  extremely  high  doUar  value.  These  systems  can 
exchange  the  total  assets  of  a bank  between  other  financial 
institutions  in  any  one  day’s  operation.  To  help  ensure  complete 
and  accurate  transaction  processing  of  these  "fault  tolerant" 
systems,  security  and  integrity  controls  that  are  specific  to 
Tandem  systems  must  be  understood,  evaluated,  and  tested  on  a 
routine  basis.  This  seminar  will  provide  computer  security  and 
audit  professionals  with  the  tools  to  review  Tandem  installations 
and  provide  sound,  technical,  and  practical  recommendations 
toward  improved  integrity  controls.  GUARDIAN  operating  system 
facilities  will  be  examined  as  weU  as  external  security 
extensions  offered  by  Tandem  and  Alliance  software  vendors. 
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COURSE  lil  LE:  Security  and  Auditability  of  the  HP3000 
COURSE  LENGTH:  2 DAY 


VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

In  this  seminar  you  wiU  learn  about  HP  3000 ’s  standard  system  of 
control,  security,  auditability,  and  file  management.  HP  3000’ s 
system  manager,  access  controls,  user-defined  commands,  audit 
trails,  and  source/object  version  control  features  will  be 
covered.  In  addition  to  the  elements  of  security  and  audit 
software,  you  will  learn  specific  procedures  for  their  use  that 
will  assure  the  integrity  of  the  programs  and  data  running  on 
your  HP  3000  installation.  Participants  should  have  attended 
"EDP  Auditing  and  Controls  or  Auditing  Advanced  Computer 
Applications." 
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COURSE  TITLE:  Guide  To  Auditing  Novell  Networks 
COURSE  LENGTH:  3 DAY 


VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

Local  area  networks,  and  Novell  in  particular,  offer  enormous 
productivity  gains  to  organizations.  Unfortunately,  along  with 
the  benefits,  come  unique  and  complex  security  and  control  risks. 

If  you  are  a computer  auditor  who  now  must  audit  networks,  this 
course  is  for  you.  In  this  session  you  will  gain  a thorough 
understanding  of  basic  networking  concepts.  You  wUl  learn  the 
exposures  and  control  concepts  within  Novell  NetWare,  the 
associated  environmental  control  concerns,  and  the  organizational 
and  procedural  issues  which  affect  the  integrity  of  networked 
LANs.  The  course  wiU  detail  the  specific  access  control 
facilities  critical  to  the  LAN  implementation  and  administration. 

You  wiU  come  away  from  this  course  with  a framework  for 
determining  the  auditability  of  a Novell  LAN  implementation,  and 
with  a foundation  for  building  a LAN  audit  work  program. 

Participants  should  have  a good  understanding  of  personal 
computing,  the  DOS  operating  system  and  DOS  commands,  and  the  DOS 
batch  language. 
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COURSE  rrrLE:  Audit,  Security-LANs  & Micro-To-Mainframe  Links 
COURSE  LENGTH:  3 DAY 


VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

This  seminar  is  designed  to  help  you  avoid  potential  problems  by 
establishing  strategies  which  ensure  successful,  secure  LANs  and 
micro-to-mainframe  links.  This  seminar  provides  a comprehensive 
view  of  LAN  hardware  and  software,  and  micro-to-mainframe  linking 
hardware  and  software.  It  presents  practical  methods  for 
designing  and  implementing  effective  links  and  LANs  and  covers 
network  performance  and  data  compatibility  from  the  audit  and 
security  points  of  view.  In  this  session  you  will  learn 
techniques  for  auditing  LANs  and  links  and  for  implementing  data 
security  and  data  integrity  procedures.  You  wUl  examine 
hardware  and  software  products  designed  to  enhance  LAN  and  link 
security  as  well  as  those  designed  to  improve  audit  productivity. 

The  seminar  also  addresses  PC-to-PC  links,  including  remote  PC 
links  to  LANs  and  WANs.  A basic  understanding  of  the 
fundamentals  of  microcomputer,  spreadsheets,  and  data  base 
software  is  suggested. 
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COURSE  TITLE:  On-Line,  Dist  Comm  SysrControl,  Audit  & Security 
COURSE  LENGTH:  3 DAY 


VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

In  this  seminar  you  will  learn  the  basic  concepts  of  computer 
communications  systems  and  a simple  audit/analysis  technique 
which  can  help  you  expose  risks  with  very  little  in-depth 
knowledge  of  the  technology.  Through  examination  of  the  major 
functions  and  audit/security  concerns  in  each  layer  of  the  ISO 
"Reference  Model,"  you  wiU  learn  the  components  of  a more 
in-depth  communications  audit  and  the  design  and  evaluation 
criteria  of  internal  security  controls.  The  sample  work  plans 
you  receive,  and  the  guidelines,  audit  tools,  and  techniques  you 
learn  will  be  immediately  useful  in  auditing  any  communications 
system. 

COURSE  TITLE:  Advanced  Data  Comm  Networks: Security/Auditability 
COURSE  LENGTH:  2 DAY 

VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

This  seminar  builds  on  the  tools  and  techniques  learned  in 
On-Line  and  Distributed  Communications  Systems:  Control,  Audit, 
and  Security,  providing  a comprehensive  study  of  the  data  network 
portions  of  a computer  communications  system-OSI  layers  1-4.  You 
will  explore,  in-depth,  the  audit  and  security  concerns  in  each 
layer,  and  examine  the  design  and  evaluation  criteria  of  internal 
security  controls.  At  the  end  of  this  intensive  session,  you 
win  understand  how  protocols,  public  and  private  communication 
systems,  and  local  area  networks  function.  You  will  know  how  to 
perform  a data  communications  audit.  Participants  should  first 
attend  "On-Line  and  Distributed  Communications  Systems." 

Participants  are  invited  to  bring  network  maps,  protocol  lists, 
and  data  traffic  load  statistics  from  their  own  installation. 

NOTE:  A 2-DAY  WORKSHOP  IS  ALSO  AVAILABLE. 
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COURSE  TITLE:  Security  & Auditing  of  SNA  Networks/ACFA^TAM  & NCP 
COURSE  LENGTH:  3 DAY 


VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

This  comprehensive  seminar  presents  the  concepts,  terminology, 
components,  functions,  access  points,  and  use  of  SNA  (System 
Network  Architecture)  networks.  It  provides  the  technical 
information  necessary  to  ensure  that  appropriate  controls  are 
implemented  and  are  being  used.  With  the  information  you  gain 
from  this  seminar  you  can  enhance  the  integrity,  control,  and 
reliability  of  data  transfers  within  SNA  environments  and  to/from 
SNA  networks.  You  will  learn  standard  techniques  and  optional 
enhancements  for  implementing  and  maintaining  proven  audit  and 
control  procedures  for  SNA  systems.  The  seminar  covers  IBM’s 
environments.  Practical  audit  and  control  issues  to  be  addressed 
include;  present  and  new  communications  controllers,  protocol 
emulators,  Netview  and  Netview/PC,  front  end  hardware  and 
software,  terminal  systems,  and  SNA  network  management  programs. 
NOTE:  A 2-DAY  WORKSHOP  IS  ALSO  AVAILABLE. 


COURSE  4T1LE:  Audit,  Control  and  Security  of  CICS 
COURSE  LENGTH:  5 DAY 

VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

Telecommunications  technology  has  created  a whole  new  set  of 
concerns  regarding  the  control  and  auditability  of  on-line 
systems.  This  seminar  wiU  show  you  how  to  identify  the 
available  control  and  security  features  within  CICS.  You  will 
learn  how  to  audit  CICS  systems  to  insure  those  control  measures 
are  functioning  properly.  Participants  should  first  attend 
"OS/MVS  Operating  System:  Security  and  Audit." 

NOTE:  A 2-DAY  WORKSHOP  IS  ALSO  AVAILABLE. 
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COURSE  ITl'LE:  UNIX  Operating  System: Security  Features 
COURSE  LENGTH:  3 DAY 


VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

This  seminar  identifies  the  weaknesses  of  UNIX  and  shows  you  how 
to  detect  and  prevent  unauthorized  access.  You  will  learn  how  to 
set  up,  manage,  and  maintain  an  enforceable  UNIX  security  policy. 
The  course  examines  security  loopholes  and  successful  ways  to  plug 
them.  You  will  learn  what  to  look  for  when  auditing  the  system 
for  suspected  security  violations. 


COURSE  TITLE:  Information  Risk  Assessment  & Security  Mangement 
COURSE  LENGTH:  1 SEMESTER 

VENDOR 

University  of  Maryland,University  Coll 
University  Boulevard  at  Adelphi  Road 
CoUege  Park,  MD  20742-1614 
(301)  985-7155 

An  examination  of  the  proliferation  of  corporate  data  bases  and 
the  development  of  telecommunications  network  technology  as 
gateways  or  invitations  to  intrusion.  Ways  of  investigating  the 
management  of  the  risk  and  security  data  and  data  systems  are 
presented  as  a function  of  design  through  recovery  and 
protection.  Issues  of  risk  and  security,  as  they  relate  to 
specific  industries  and  government,  are  major  topics  in  the 
course.  Examples  are  presented  of  how  major  technological 
advances  in  computer  and  operating  systems  have  placed  data,  as 
tangible  corporate  assets,  at  risk.  Both  quantitative  sampling 
techniques  for  risk  assessment  and  for  qualitative 
decision-making  under  uncertainty  are  explored. 
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COURSE  TITLE:  Auditing  AS/400:A  Step  By  Step  Approach 
COURSE  LENGTH:  2 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  VaUey,  CA  93093 
(805)  583-3723 

IBM’s  AS/400  computer  series  is  rapidly  becoming  the  work  horse 
of  the  mini  and  midi  computer  world.  With  a broad  industry  base, 
this  multi  functional  machine  serves  as  a primary  business 
platform,  as  a front  end  processor  or  as  a process  controller. 

This  intensive  seminar  concentrates  on  the  control  and  security 
concerns  relating  to  the  AS/400.  The  participants  will  learn  how 
to  automate  the  audit  using  ROBOT,  utilities  and  AS/400  tools. 

Key  control  points  are  identified  to  enable  auditors  to  focus 
their  efforts  to  ensure  a complete  audit  while  reducing  the  audit 
duration.  Actual  case  studies  are  used  throughout  the  seminar  to 
provide  real  life  examples  to  reinforce  the  audit  programs  and 
techniques. 

COURSE  ITlLE:  The  Data  Center:Auditing  For  Profit 
COURSE  LENGTH:  2 DAY 

VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

The  audit  programs  provided  in  this  course  are  specifically 
designed  to  enable  the  participants  to  conduct  the  data  center 
audit  with  little  or  no  need  for  additional  support.  Throughout 
this  session  emphasis  is  placed  on  ensuring  that  appropriate 
preventive  controls  are  in  place  to  prevent  unscheduled 
interruption  of  processing  or  inappropriate  data  access. 

Disaster  contingency  planning  is  discussed  in  depth,  with  each 
participant  receiving  a copy  of  our  general  disaster  recovery 
program.  CANAUDIT  has  also  added  a module  on  out-sourcing  which 
provides  auditors  with  a good  understanding  of  the  concepts  and 
the  related  risks.  As  with  aU  CANAUDIT  courses,  this  seminar 
makes  extensive  use  of  examples  and  classroom  discussion  to 
supplement  the  lecture. 
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COURSE  ITILE:  EDENew  Frontiers  For  Auditors 
COURSE  LENGTH:  1 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

Electronic  Data  Interchange  is  emerging  as  a major  component  of 
many  financial,  retail  and  manufacturing  applications.  Several 
major  companies  have  made  a public  commitment  to  full  EDI 
implementation  in  the  near  future,  this  technology  presents  the 
auditor  with  many  new  control  and  security  issues  in  auditing  EDI 
applications.  The  elimination  of  physical  transactions  and  paper 
audit  trails  will  force  each  financial  auditor  to  perform 
functions  formerly  done  by  the  EDP  Auditor.  This  session  is 
designed  specifically  for  those  auditors  who  require  a 
comprehensive  audit  approach.  Modules  presented  in  this  seminar 
include  an  overview  of  EDI  technology  and  standards,  critical 
functions  of  EDI,  the  controls  available  in  the  XI 2 standard  and 
how  to  implement  them.  Each  participant  will  receive  a 
comprehensive  audit  program  as  part  of  the  seminar  handout. 
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COURSE  TITLE:  EDP  Audit  Workshop 
COURSE  LENGTH:  5 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  VaUey,  CA  93093 
(805)  583-3723 

This  workshop  is  designed  for  auditors  who  will  be  conducting 
audits  in  a computerized  environment  The  workshop  assumes  no 
prior  knowledge  of  EDP  audit  concepts  or  procedures  and  provide 
participants  with  a sound  understanding  of  the  audit  risks 
relating  to  information  systems.  Once  the  groundwork  is  laid, 
participants  will  learn  the  controls  required  in  computerized 
applications  and  a step  by  step  approach  to  effectively  evaluate 
the  EDP  control  structures.  As  their  understanding  grows, 
participants  will  progress  to  more  complicated  IS  audit  topics 
including  local  area  networks,  data  security,  telecommunications 
networks  and  operating  systems.  Extensive  coverage  of  EDI 
ensures  participants  are  able  to  be  active  members  of  the  EDI 
Implementation  Team  and  ensures  appropriate  controls  are  designed 
into  EDI  applications.  Instructors  for  this  seminar  were 
selected  by  their  extensive  IS  audit  experience  and  their  ability 
to  explain  complex  technology  in  simple  English;  therefore, 
participants  wUl  be  sure  to  grasp  the  key  concepts. 
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COURSE  TITLE:  Audit  Software:Implementing  New  Technology 
COURSE  LENGTH:  2 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

Audit  software  is  a tool  that  has  existed  for  many  years,  but 
many  auditors  have  failed  to  fully  utilize  this  valuable  tool 
effectively.  Audit  software  improves  productivity  and  enables 
the  discovery  of  control  weaknesses  that  would  otherwise  go 
undiscovered.  In  the  past,  auditors  have  had  to  rely  on  sampling 
techniques  due  to  file  size  limitations;  but  now  that  we  have 
more  powerful  processors  the  entire  data  base  can  be  read  and 
multiple  tests  performed  on  each  record.  This  greatly  improves 
the  quality  of  the  audit  while  reducing  audit  risk.  In  addition 
to  traditional  uses  of  audit  software,  this  session  introduces 
several  new  audit  software  techniques  such  as  remote  auditing  and 
knowledge  bases.  These  innovative  techniques  enable  broader 
audit  coverage  while  reducing  overall  audit  costs.  Investigative 
software  and  silent  auditing  enable  the  auditor  to  check  system 
integrity  and  detect  potential  fraud  using  the  surprise  audit 
approach.  By  the  end  of  this  extensive  seminar  the  participants 
will  understand  the  potential  of  modem  Computer  Assisted  Audit 
Techniques,  and  how  to  utilize  these  powerful  resources  in  their 
environment. 
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COURSE  ITILE:  Information  Systems  Seminar  For  Internal  Auditors 
COURSE  LENGTH:  5 DAY 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

This  introductory  seminar  of  computer  concepts  and  controls  is 
designed  for  the  MIS  or  internal  auditing  professional  who  needs 
to  learn  about  basic  computer  concepts,  computer  controls  and 
security,  system  life  cycle  planning  and  control,  and  contingency 
planning.  Individuals  with  these  backgrounds  who  complete  this 
seminar  will  be  exposed  to  every  major  aspect  of  information 
systems  auditing  and  should  be  able,  with  the  tools  provided  in 
the  seminar,  to  perform  basic  IS  Audits.  In  addition,  the 
seminar  will  emphasize  how  ISA  is  integrated  with  the  internal 
audit  process.  This  is  a five-day,  classroom  program  consisting 
of  stand-alone  modules  that  can  be  presented  as  a whole  or 
modules  can  be  selected  to  provide  training  on  specific  subjects 
in  shorter-duration  programs.  Call  the  vendor  for  more 
information  regarding  the  following  modules  that  have  been 
selected  for  this  particular  training  area: 

Module  3-Getting  Started 

Module  5-Overview  of  the  ISA  Function 

Module  6-Overview  of  Computer  Operations 

Module  7- A Management  Approach  to  Computer  Fraud 

Module  8 -Introduction  to  General  Controls 

Module  9-Organization  and  Administration 

Module  23-Introduction  to  Application  Control  Reviews 
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COURSE  TITLE:  EDP  Concepts  For  Business 
COURSE  LENGTH:  SELF-PACED 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

EDP  Concepts  for  Business  is  an  interactive  computer-based 
training  (CBT)  program.  The  student  receives  information  and  is 
coached  based  upon  the  answers  to  teaching  questions.  This  was 
designed  to  involve  the  student,  be  flexible,  and  be  responsive 
to  the  student’s  needs;  this  format  focuses  on  the  student.  You 
need  only  an  IBM  PC,  XT,  AT,  or  any  IBM-compatible  microcomputer 
with  at  least  192K  memory.  Call  the  vendor  for  more  information 
regarding  the  following  modules  that  have  been  selected  for  this 
particular  training  area: 

Module  1 -Computers  and  Their  Components 
Module  2-Data  and  Data  Processing 
Module  3-Programs  and  Languages 
Module  5-EDP  Personnel 
Module  6-Access  Control  and  Security 
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COURSE  ITl'LE:  Computer  Security  Awareness 
COURSE  LENGTH:  1 HR 


VENDOR 

Booz- Allen  & Hamilton  Inc. 

4330  East  West  Highway 
Bethesda,  MD  20814-4455 
Victor  Marshall 
(301)  951-4672 

The  purpose  of  this  course  is  to  provide  participants  with  an 
awareness  of  computer  security,  to  sensitize  them  to  the  need  for 
computer  security  policies  and  practices  in  the  workplace,  and  to 
motivate  each  individual  to  practice  effective  computer  security 
techniques.  The  instructional  content  of  the  course  is  composed 
ofrrequirements  of  computer-security-related  laws  and  circulares; 
definitions  and  examples  of  basic  computer  security  terms;  the 
increasing  concern  to  protect  computer  assets;  and  basic 
computer  practices,  controls,  and  countermeasures. 

NOTEiContact  the  vendor  for  information  concerning  specialized 
agency  training. 


COURSE  ITI  LE:  Microcomputer  Security 
COURSE  LENGTH:  2 HRS 

VENDOR 

Booz- Allen  & Hamilton  Inc. 

4330  East  West  Highway 
Bethesda,  MD  20814-4455 
Victor  Marshall 
(301)  951-4672 

The  purpose  of  this  microcomputer  security  course  is  to  sensitize 
participants  to  the  need  for  microcomputer  security  and  to 
provide  each  individual  with  some  practical  tools  to  protect 
their  microcomputer  assets,  especially  the  stored  information. 

The  course  provides  practical  information  on  computer  security 
that  microcomputer  users  can  implement  immediately. 

NOTE: Contact  the  vendor  for  information  concerning  specialized 
agency  training. 
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COURSE  TITLE:  Audit/Security  Concepts-MVS/XA  & MVS/ESA 
COURSE  LENGTH:  5 DAY 


VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

While  attending  this  program  you  will  develop  your  technical 
understanding  of  the  MVS/XA  and  MVS/ESA  operating  system  and  gain 
the  skills  you  need  to  successfully  review  any  MVS  installation. 

This  session  presents  a foolproof  methodology  for  conducting  a 
successful  MVS  operating  system  review.  You  wUl  apply  this 
methodology  for  reviewing  an  installation  and  develop  the  steps 
for  a complete  audit  program. 

NOTE:  Participants  should  have  attended  OS/MVS  Operating  System: 
Security  and  Audit  Facilities  or  have  technical  experience  in  the 
MVS  environment,  including  familiarity  with  TSO  or  the  use  of  IBM 
utilities. 


COURSE  rri’LE:  Enterprise  Systems  Analysis  for  MVS/ESA  & MVS/XA 
COURSE  LENGTH:  4 DAY 

VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

This  seminar  address  the  external  and  internal  workings  of  the 
MVS/XA  and  MVS/ESA  operating  systems,  focusing  on  security  and 
control  aspects.  This  seminar  wUl  answer  questions  and  fill  in 
those  technical  areas  you  need  to  understand  in  order  to  perform 
more  effective  and  detailed  MVS  reviews. 

NOTE:  Participants  should  have  attended  "Audit  and  Security 
Concepts  for  the  MVS  Operating  System"  and  completed  one  or  more 
MVS  reviews.  Participants  are  requested  to  bring  to  the  session 
technical  data  or  code  extracted  from  their  own  MVS  installation. 
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COURSE  TITLE:  Conducting  a Performance  Audit  of  MVS 
COURSE  LENGTH:  2 DAY 


VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

In  this  seminar  you  will  learn  bottom-line  impacting  measurement 
and  tuning  concepts  and  techniques  for  assessing  and  optimizing 
the  performance  of  your  current  MVS  operating  system.  When  you 
leave  this  session  you  will  be  able  to  conduct  a performance 
audit  of  an  MVS  system,  plus  provide  valuable  guidance  in  the 
system  and  tuning  process. 

NOTE:  Participants  should  have  attended  "Audit  and  Security 
Concepts  and  Workshop  for  MVS/XA  and  MVS/ESA"  and/or  have  a solid 
understanding  of  MVS. 


COURSE  TITLE:  How  to  Audit  and  Control  TSO 
COURSE  LENGTH:  2 DAY 

VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

This  workshop  will  give  you  a solid  background  in  the  functions 
and  components  of  TSO.  You  will  learn  the  capabilities  within 
TSO  and  MVS  that  enable  you  to  monitor  TSO’s  effective 
installation  and  on-going  functions.  You  will  learn  how  to  use 
TSO  audit  trails  to  monitor  both  authorized  and  unauthorized 
access  attempts  to  system  resources. 

NOTE:  Participants  should  be  familiar  with  OS/MVS  or  should  have 
attended  "OS/MVS  Operating  System:  Security  and  Audit". 
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COURSE  TITLE:  EDP  Audit  & the  "CASE"  Environment 
COURSE  LENGTH:  2 DAY 


VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

This  course  is  constructed  to  examine  the  three  major  topic  areas 
that  are  of  special  interest  to  EDP  auditors  working  in  Computer 
Automated  Systems  Engineering  (CASE)  environments.  Part  one 
provides  a set  of  clear  definitions  about  the  CASE  industry,  its 
products,  and  trends.  In  part  two  you  will  learn  how  to  use 
CASE-based  tools  to  test  systems  and  data  integrity,  evaluate 
internal  controls,  and  generate  working  papers.  In  part  three 
you  win  learn  the  fundamental  issues  related  to  auditing 
CASE-based  applications  including  change  controls,  and  data  and 
program  testing. 


COURSE  ITILE:  Telecom  & Lan  Mgr  Guide  to  Disaster  Prevention  Recovery 
COURSE  LENGTH:  2 DAY 

VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

This  two-day  briefing  will  provide  you  with  the  information  you 
need  to  prevent  a system  failure  and  to  react  appropriately 
should  one  occur.  The  purpose  of  this  briefing  is  to:  introduce 
you  to  the  areas  of  greatest  exposure  and  risk  in 
telecommunications  systems  and  local  area  networks,  define  the 
factors  and  costs  you  need  to  consider  when  developing  a disaster 
recovery  plan,  help  you  perform  a "self-audit"  to  determine  if 
your  networks  are  adequately  protected,  and  provide  you  with  the 
tools  you  need  to  effectively  avoid,  and  if  necessary,  guide  your 
company  through  a telecommunications  disaster. 
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COURSE  TITLE:  Computer  Security  Awareness 
COURSE  LENGTH:  5-8  HRS 


VENDOR 

DPEC 

1679  Old  Henderson  Road 
Columbus,  OH  43220-3644 
(800)  223-3732 

This  is  a Computer  Based  Training  (CBT)  course  using  the 
framework  of  administrative,  physical  and  logical  security. 
Computer  Security  Awareness  explains  contingency  planning  and 
precautions  against  computer  crime  from  the  viewpoint  of 
mainframe  computers  and  micros;  a computer  security  checklist  is 
included.  This  is  a modular  course  lasting  5-8  hours.  The 
number  of  hours  is  based  upon  a student  interacting  with 
approximately  60-120  screens  per  hour. 


COURSE  TITLE:  Auditing  LAN  Performance,  Security  & Reliability 
COURSE  LENGTH:  3 DAY 

VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

With  organizations  stringing  together  computers  at  a dizzying 
rate,  today’s  local  area  networks  (LANs)  are  carrying  more  vital 
engineering,  sales,  marketing,  and  shipping  data  than  ever 
before.  As  LAN  activity  increases,  decreased  network  performance 
can  spell  disaster.  Slow  response  time,  system  crash, 
unauthorized  use  of  system  terminals,  and/or  network 
incompatibilities  can  interrupt  work  flow,  dramatically  reduce 
productivity,  and  undermine  your  organization’s  bottom-line. 

This  comprehensive,  three-day  seminar  attacks  LAN 
vulnerabilities  head-on  and  provides  you  with  the  know-how  to 
analyze  LAN  activity  to  determine  if  sensitive  network  traffic 
is  secured  and  if  the  network  is  performing  properly. 
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SECURITY  PLANNING  AND  MANAGEMENT 
FOR  IRM,  SECURITY,  AND  AUDIT 


COURSE  TITLE:  Developing  Computer  Security  Policy  & Procedures 
COURSE  LENGTH:  2 DAY 

VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

This  seminar  is  for  DP  managers,  data  security  managers,  and 
security  officers  responsible  for  developing  computer  security 
policies  and  procedures  and  integrating  them  into  a comprehensive 
data  processing  security  manual.  You  will  learn  how  to  determine 
what  policies  are  needed,  what  areas  a manual  should  cover,  and 
how  to  gather  the  necessary  information.  Two  different 
approaches  - step-by-step  "cookbook"  procedures  vs.  more 
generalized  pohcy  statements.  How  to  establish  working  liaisons 
with  support  staff  in  other  areas,  what’s  needed  to  get  your 
policies  and  manual  reviewed  and  approved,  and  pitfalls  that  must 
be  avoided.  Critique  actual  samples  of  procedures  and  policies 
currently  in  use. 


85 


COURSE  TITLE:  Protecting  Networks  & Small  Systems 
COURSE  LENGTH:  3 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

Widespread  use  of  microcomputers  and  telecommunications 
technology  offers  greater  opportunities  for  increasing 
white-collar  productivity. ..and  the  risk  that  this  technology 
will  proliferate  out  of  control.  This  seminar  provides  a 
security  and  control  perspective  of  the  opportunities  and 
pitfalls  in  this  new  environment.  It  will  be  valuable  for  data 
processing  management,  communications  management  and  specialists, 
office  automation  management,  EDP  auditors,  security  officers, 
and  users  of  small  systems.  Participants  are  encouraged  to  bring 
a list  of  specific,  relevant  security  problems  currently  being 
faced  within  their  own  organizations.  Selected  "cases"  will  be 
analyzed  and  discussed. 

COURSE  TITLE:  Computer  Security  for  Security  & ADP  Program  Managers 
COURSE  LENGTH:  3 DAY 

VENDOR 

Department  of  Justice  Training  Center 
Suite  304,  Indiana  Building 
633  Indiana  Avenue,  NW 
Washington,  DC  20530 
(202)  307-0528 

This  course  is  designed  for  ADP  program  managers  and  computer 
security  program  managers.  It  provides  an  overview  of  Public  Law 
100-235  and  other  laws  and  requirements  for  computer  security. 

Emphases  will  be  on  the  concepts  and  methodologies  for  developing 
computer  security  programs  and  the  Department’s  policies  regarding 
computer  and  information  security  as  a background  to  securing  the 
Department’s  information  resources.  The  objective  is  to  provide  a 
comprehensive  understanding  of  the  full  range  of  the  potential  threat 
and  the  effectiveness  of  alternative  security  controls  against  different 
threats.  Spaces  available  to  other  federal  agencies. 
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COURSE  ITI  LE:  Computer  Viruses,  Trojan  Horses,  and  Logic  Bombs 
COURSE  LENGTH:  2 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

This  seminar  examines  the  insidious  threats  to  computer  systems 
posed  by  malicious  programming,  including  viruses,  Trojan  horses, 
worms,  logic  bombs,  and  trap  doors.  We  will  examine  the  broad 
spectrum  of  harmful  code,  the  people  who  create  it,  how  viruses 
get  into  systems,  demonstrations  of  illicit  programs,  and 
countermeasures.  The  impact  of  malignant  programming  extends 
well  beyond  any  immediate  file  damage.  Hidden  losses,  such  as 
reconstruction  of  programs  and  data,  and  exhaustive  detective 
work  may  be  necessary.  What  types  of  people  would  infect  our 
systems.. ..are  they  employees,  competitors,  outsiders?  We  will 
review  the  latest  legal  cases  relating  to  viruses  and  logic 
bombs.  Examples  of  anti-virus  software  - what  these  "digital 
pharmaceuticals"  can  and  cannot  do.  Realistic  approaches  for 
controlling  the  problem,  and  solutions  which  have  worked.  Note: 
Attendees  are  encouraged  to  provide  examples,  from  their  own 
experience,  of  destructive  programming  threats  and  effective 
technical  and  administrative  countermeasures  they  have  used. 
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COURSE  ITl'LE:  Becoming  An  Effective  Data  Security  Officer 
COURSE  LENGTH:  3 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

As  a Data  Security  Officer,  you  may  be  responsible  for  creating  a 
data  security  program  or  administering  and  improving  one  already 
in  place.  To  a great  extent,  you  will  be  defining  your  own  role 
as  you  proceed.  But  where  do  you  begin?  What  skills  do  you  need 
to  do  the  job?  Where  do  you  get  the  information  to  enhance  your 
own  skills?  Who  are  the  "key  players"  within  your  organization, 
and  how  do  you  get  them  committed  to  making  security  happen? 
What  are  the  advantages  of  the  job?  The  disadvantages?  How  have 
others  succeeded,  and  what  pitfaUs  should  you  avoid?  This 
practical  3-day  program  wiU  deliver  the  know-how  to  help  you 
become  a more  effective,  proficient,  and  successful  Data  Security 
Officer. 
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COURSE  ITI  LE:  Microcomputer  Security 
COURSE  LENGTH:  3 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

This  participative  program  examines  the  security  issues  around 
microcomputer  use,  with  emphasis  on  identifying  issues  and 
developing  plausible  solutions  for  your  real-world  environment. 
The  development  of  PC  security  issues  and  what  the  future  holds. 
Security  weaknesses  of  microcomputers  and  where  PC  security 
differs  from  mainframe  security.  Physical  protection  for  the 
machines  and  associated  media,  plus  data  access  control  and  virus 
prevention,  with  demonstrations  of  related  products.  Contingency 
planning  for  personal  computers.  Policies  and  procedures  for 
controlling  the  spread  and  use  of  PCs.  Software  piracy  and  how 
to  prevent  it  in  the  workplace.  The  value  of  a comprehensive  and 
continually  updated  security  awareness  program  in  achieving  your 
PC  security  objectives.  Designed  for  DP  and  information  center 
managers,  security  officers,  and  EDP  auditors. 


COURSE  TITLE:  Computer  Security  For  Security  Officers 
COURSE  LENGTH:  2 DAY 

VENDOR 

US  DA,  Graduate  School 
600  Maryland  Ave,  SW 
Washington,  DC  20024 
(202)  447-7124 

This  workshop  wiU  show  you  how  to  improve  the  computer  security 
program  in  your  agency.  Through  lectures,  discussion,  case 
studies  and  checklists  you  will  be  able  to  determine  the  strength 
of  your  current  security  program,  and  to  pinpoint  potential 
problem  areas  that  need  attention.  You  also  will  learn  about 
your  responsibilities  with  your  agency  management  in  terms  of 
policy  development  and  contingency  planning. 
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COURSE  TITLE:  Information  Risk  Assessment  & Security  Management 
COURSE  LENGTH:  1 SEMESTER 


VENDOR 

University  of  Maryland,University  Coll 
University  Boulevard  at  Adelphi  Road 
College  Park,  MD  20742-1614 
(301)  985-7155 

An  examination  of  the  proliferation  of  corporate  data  bases  and 
the  development  of  telecommunications  network  technology  as 
gateways  or  invitations  to  intrusion.  Ways  of  investigating  the 
management  of  the  risk  and  security  data  and  data  systems  are 
presented  as  a function  of  design  through  recovery  and 
protection.  Issues  of  risk  and  security,  as  they  relate  to 
specific  industries  and  government,  are  major  topics  in  the 
course.  Examples  are  presented  of  how  major  technological 
advances  in  computer  and  operating  systems  have  placed  data,  as 
tangible  corporate  assets,  at  risk.  Both  quantitative  sampling 
techniques  for  risk  assessment  and  for  qualitative 
decision-making  under  uncertainty  are  explored. 

COURSE  TITLE:  Computer  Security  & Contingency  Planning 
COURSE  LENGTH:  3 DAY 

VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  VaUey,  CA  93093 
(805)  583-3723 

Security  Administration  is  now  a reality  in  many  organizations. 
Other  companies  that  do  not  currently  have  a security 
administration  function  are  considering,  or  are  in  the  process  of 
creating  the  security  function.  This  seminar  is  designed  to 
remove  the  mystery  surrounding  data  security,  and  to  provide 
participants  with  a proven  approach  to  securing  their  computer 
systems.  At  the  end  of  the  session,  participants  will  understand 
security  administration  and  the  critical  items  that  must  be 
included  to  enable  the  function  to  perform  effectively.  They 
will  be  able  to  classify  data  by  criticality  and  confidentiality. 

They  will  have  an  understanding  of  logical  access  security, 
disaster  contingency  planning,  and  how  to  develop  and  implement 
security  procedures  in  their  organization. 
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COURSE  TITLE:  Control  and  Security  of  LANS 
COURSE  LENGTH:  3 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  VaUey,  CA  93093 
(805)  583-3723 

As  local  area  networks  (LAN’s)  permeate  the  organization, 
security  and  control  issues  are  often  ignored.  This  seminar 
takes  a hard  look  at  the  audit  concerns  of  LAN’s  and  how  to 
install  effective  controls  in  this  dynamic  computer  environment 
Participants  will  learn  what  can  go  wrong  in  the  LAN  environment 
and  what  preventive  and  detective  controls  are  available  to 
mitigate  control  weaknesses  within  the  LAN  or  from  external 
connections.  LAN  Management  and  the  role  of  the  LAN  officer  is 
discussed  in  detail.  Special  emphasis  is  placed  on  management  of 
the  hardware  and  connectivity  along  with  the  selection  of 
software.  These  key  items  often  limit  the  overall  usefulness  of 
the  LAN  and  inhibit  the  achievement  of  connectivity  and 
productivity  objectives.  Each  participant  will  receive  detailed 
audit  programs,  common  control  weaknesses  and  sample 
recommendations.  These  are  the  key  tools  they  need  to  conduct 
LAN  audits. 
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COURSE  TITLE:  Information  Systems  Seminar  For  Internal  Auditors 
COURSE  LENGTH:  5 DAY 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

This  introductory  seminar  of  computer  concepts  and  controls  is 
designed  for  the  MIS  or  internal  auditing  professional  who  needs 
to  learn  about  basic  computer  concepts,  computer  controls  and 
security,  system  life  cycle  planning  and  control,  and  contingency 
planning.  Individuals  with  these  backgrounds  who  complete  this 
seminar  wiU  be  exposed  to  every  major  aspect  of  information 
systems  auditing  and  should  be  able,  with  the  tools  provided  in 
the  seminar,  to  perform  basic  IS  Audits.  In  addition,  the 
seminar  will  emphasize  how  ISA  is  integrated  with  the  internal 
audit  process.  This  is  a five-day,  classroom  program  consisting 
of  stand-alone  modules  that  can  be  presented  as  a whole  or 
modules  can  be  selected  to  provide  training  on  specific  subjects 
in  shorter-duration  programs.  Call  the  vendor  for  more 
information  regarding  the  following  modules  that  have  been 
selected  for  this  particular  training  area: 

Module  3-Getting  Started 

Module  4-Planning  the  IS  Audit 

Module  5-C)verview  of  the  ISA  Function 

Module  7- A Management  Approach  to  Computer  Fraud 

Module  8-Introduction  to  General  Controls 

Module  23-Introduction  to  Application  Control  Reviews 
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COURSE  ITI  LE:  EDP  Concepts  For  Business 
COURSE  LENGTH:  SELF-PACED 

VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

EDP  Concepts  for  Business  is  an  interactive  computer-based 
training  (CBT)  program.  The  student  receives  information  and  is 
coached  based  upon  the  answers  to  teaching  questions.  This  was 
designed  to  involve  the  student,  be  flexible,  and  be  responsive 
to  the  student’s  needs;  this  format  focuses  on  the  student.  You 
need  only  an  IBM  PC,  XT,  AT  or  any  IBM-compatible  microcomputer 
with  at  least  192K  memory.  Call  the  vendor  for  more  information 
regarding  the  following  module  that  has  been  selected  for  this 
particular  training  area: 

Module  6-Access  Control  and  Security 
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COMPUTER  SECURITY  POLICY  AND  PROCEDURES 
FOR  IRM,  SECURITY,  AND  AUDIT 


COURSE  TITLE:  Developing  Computer  Security  Policy  & Procedures 
COURSE  LENGTH:  2 DAY 

VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

This  seminar  is  for  DP  managers,  data  security  managers,  and 
security  officers  responsible  for  developing  computer  security 
policies  and  procedures  and  integrating  them  into  a comprehensive 
data  processing  security  manual.  You  wiU  learn  how  to  determine 
what  policies  are  needed,  what  areas  a manual  should  cover,  and 
how  to  gather  the  necessary  information.  Two  different 
approaches  - step-by-step  "cookbook"  procedures  vs.  more 
generalized  policy  statements.  How  to  establish  working  liaisons 
with  support  staff  in  other  areas,  what’s  needed  to  get  your 
policies  and  manual  reviewed  and  approved,  and  pitfalls  that  must 
be  avoided.  Critique  actual  samples  of  procedures  and  policies 
currently  in  use. 
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COURSE  TITLE:  Communication  Security  Principles  & Practices 
COURSE  LENGTH:  2 DAY 


VENDOR 

Computer  Security  Institute 

600  Harrison  Street 

San  Francisco  CA  94107 
(415)  905-2200 

This  workshop  is  for  data  processing  managers,  security  officers, 
and  auditors  who  have  little  or  no  knowledge  in  the 
communications  area.  Because  communications  systems  are  so 
complex  and  vulnerable,  the  data  processing  operation  is  a 
substantial  risk.  You  will  learn  about  the  basic  concepts  and 
the  terminology  needed  to  communicate  effectively  with 
technicians.  The  emphasis,  however  , is  on  vulnerabilities  and 
the  practical  security  safeguards  you  can  implement.  Because  the 
largest  communications  risk  faced  by  most  organizations  is 
unauthorized  access  to  their  computers,  considerable  emphasis 
will  be  placed  on  how  mainframe  access  control  mechanisms 
interface  with  other  communication  security  techniques.  In 
particular,  you  will  learn  to  address  the  three  major  risks  - 
loss  of  network  service,  unauthorized  access  to  your  network  and 
data  center  resources,  and  surveillance  of  your  network  traffic. 
"Special  Note"  You  are  encouraged  to  prepare,  in  advance  of  the 
Workshop,  a description  of  specific  communications  security 
problems  being  faced  within  your  own  organization.  Cases  will  be 
discussed  as  time  permits  and  as  issues  arise  during  the 
Workshop. 
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COURSE  TITLE:  Managing  Computer  Security-Mergs,  Acq,  and  Divestitures 
COURSE  LENGTH:  2 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

Mergers,  acquisitions,  and  divestitures  are  common  in  today’s 
corporate  environment.  Unfortunately,  while  these  situations  can 
create  serious  information  protection  problems,  security  is 
usually  considered  only  after  the  financial,  legal,  and 
structural  issues  have  been  settled.  This  seminar  for  security 
officers,  DP  managers,  and  auditors  examines  what  to  do  before, 
during  and  after  a major  organizational  change  to  ensure  the 
adequate  controls  are  in  place.  Computer  security  problems  in 
merger/acquisition/divestiture  situations,  and  what  we  can  do 
about  them.  How  major  internal  reorganizations,  functional, 
consolidation,  and  plant  closings  affect  security.  These  days 
many  large  corporations  are  "outsorucing"  - getting  out  of  the  DP 
business  by  contracting  all  DP  operations  to  an  outside  vendor. 
When  this  occurs,  how  do  we  ensure  that  the  vendor  properly 
protects  our  sensitive  data  and  applications?  What  conditions 
increase  an  organization’s  vulnerability?  Risk-reducing 
countermeasures. 
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COURSE  TITLE:  Protecting  Networks  & Small  Systems 
COURSE  LENGTH:  3 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

Widespread  use  of  microcomputers  and  telecommunications 
technology  offers  greater  opportunities  for  increasing 
white-collar  productivity. ..and  the  risk  that  this  technology 
will  proliferate  out  of  control.  This  seminar  provides  a 
security  and  control  perspective  of  the  opportunities  and 
pitfalls  in  this  new  environment.  It  will  be  valuable  for  data 
processing  management,  communications  management  and  specialists, 
office  automation  management,  EDP  auditors,  security  officers, 
and  users  of  small  systems.  Participants  are  encouraged  to  bring 
a list  of  specific,  relevant  security  problems  currently  being 
faced  within  their  own  organizations.  Selected  "cases"  will  be 
analyzed  and  discussed. 
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COURSE  TITLE:  Computer  Viruses,  Trojan  Horses,  and  Logic  Bombs 
COURSE  LENGTH:  2 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

This  seminar  examines  the  insidious  threats  to  computer  systems 
posed  by  malicious  programming,  including  viruses,  Trojan  horses, 
worms,  logic  bombs,  and  trap  doors.  We  wiU  examine  the  broad 
spectrum  of  harmful  code,  the  people  who  create  it,  how  viruses 
get  into  systems,  demonstrations  of  illicit  programs,  and 
countermeasures.  The  impact  of  malignant  programming  extends 
well  beyond  any  immediate  file  damage.  Hidden  losses,  such  as 
reconstruction  of  programs  and  data,  and  exhaustive  detective 
work  may  be  necessary.  What  types  of  people  would  infect  our 
systems.. ..are  they  employees,  competitors,  outsiders?  We  will 
review  the  latest  legal  cases  relating  to  viruses  and  logic 
bombs.  Examples  of  anti-virus  software  - what  these  "digital 
pharmaceuticals"  can  and  cannot  do.  Realistic  approaches  for 
controlling  the  problem,  and  solutions  which  have  worked.  Note: 
Attendees  are  encouraged  to  provide  examples,  from  their  own 
experience,  of  destructive  programming  threats  and  effective 
technical  and  administrative  countermeasures  they  have  used. 
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COURSE  TITLE:  Microcomputer  Security 
COURSE  LENGTH:  3 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

This  participative  program  examines  the  security  issues  around 
microcomputer  use,  with  emphasis  on  identifying  issues  and 
developing  plausible  solutions  for  your  real-world  environment. 
The  development  of  PC  security  issues  and  what  the  future  holds. 
Security  weaknesses  of  microcomputers  and  where  PC  security 
differs  from  mainframe  security.  Physical  protection  for  the 
machines  and  associated  media,  plus  data  access  control  and  virus 
prevention,  with  demonstrations  of  related  products.  Contingency 
planning  for  personal  computers.  Policies  and  procedures  for 
controlling  the  spread  and  use  of  PCs.  Software  piracy  and  how 
to  prevent  it  in  the  workplace.  The  value  of  a comprehensive  and 
continually  updated  security  awareness  program  in  achieving  your 
PC  security  objectives.  Designed  for  DP  and  information  center 
managers,  security  officers,  and  EDP  auditors. 
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COURSE  TITLE:  Computer  Security  And  Privacy 
COURSE  LENGTH: 


VENDOR 

Johns  Hopkins  University 
9601  Medical  Center  Drive 
Rockville,  MD  10850 
(301)  294-7070 

This  course  surveys  the  broad  fields  of  computer  security  and 
privacy,  concentrating  on  the  nature  of  the  computer  security 
problem  by  examining  threats  to  systems  security,  types  of 
computer  systems,  and  areas  of  system  security  and  protection. 
Policy  considerations  related  to  the  technical  nature  of  the 
problem  as  manifested  in  government  regulations  and  commercial 
practices  are  examined.  The  course  develops  the  student’s 
ability  to  assess  system  security  weakness  and  formulate 
technical  recommendations  in  the  areas  of  hardware.  Additional 
topics  include  access  control  (hardware  and  software), 
communications  and  network  security,  and  the  proper  use  of  system 
software  (operating  system  and  utilities).  The  course  addresses 
the  social  and  legal  problems  of  individual  privacy  in  a data 
processing  environment,  as  well  as  the  computer  "crime"  potential 
of  such  systems.  Several  data  encryption  algorithms  are  examined. 

A student  project  or  programming  assignment  may  be  required. 
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COURSE  ITILE:  Computer  Security 
COURSE  LENGTH:  5 DAY 


VENDOR 

GSA  Training  Center 
P.O.  Box  15608 
Arlington,  VA  22215-0608 
(703)  557-0885 

Participants  learn  about  federal  computer  security  regulations 
and  guidelines  and  their  implementation  in  government  agencies. 
Topics  include:  a threat  overview,  national  computer  security 
policies,  an  overview  of  the  National  Institute  of  Standards  and 
Technology  and  the  National  Computer  Security  Center,  physical 
security  considerations,  microcomputer  security  considerations, 
introduction  to  risk  assessment,  qualitative  risk  assessment, 
quantitative  risk  assessment,  other  risk  assessment 
methodologies,  contingency  planning,  design  reviews  and  system 
tests,  and  security  certification  and  accreditation. 


COURSE  TITLE:  Information  Security  And  Policy 
COURSE  LENGTH:  1 SEMESTER 

VENDOR 

George  Washington  University/GSAS 
2000  G Street,  NW 
Washington,  DC  20077-2685 
(202)  994-7061 

Computer  fraud  and  effective  countermeasures  for  computer  system 
security.  The  social  and  legal  environment  of  information 
systems,  including  data  privacy  and  ethics  in  database 
management  Information  access  policy,  data  security,  contracts. 
Antitrust  and  other  business  implications  of  policies, 
transborder  data  flow,  technology  transfer,  electronic  funds 
transfer  systems,  criminal  justice  information  systems, 
cross-cultural  differences,  computer  infringement  of  copyright, 
and  protection  or  property  rights  in  software.  Prerequisite: 

AdSc  202  and  203. 
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COURSE  ITI  LE:  Security  & Control  In  Automated  Systems- Audit  IS 
COURSE  LENGTH:  3 DAY 


VENDOR 

USDA,  Graduate  School 
600  Maryland  Ave,  SW 
Washington,  DC  20024 
(202)  447-7124 

Internal  auditors  have  a major  role  in  reviewing  the  security  and 
controls  in  sensitive  automated  systems.  This  course  provides 
practical  guidelines  and  techniques  for  auditing  and  evaluating 
the  adequacy  of  security  and  internal  controls  in  sensitive 
automated  systems.  Major  problem  areas  are  discussed  and 
examples  illustrating  the  results  of  inadequate  security  and 
controls  are  presented.  In  addition,  the  responsibility  of 
management,  internal  audit,  and  data  processing  personnel  is 
discussed.  This  coiu'se  also  provides  the  attendee  with  a 
comprehensive  methodology  for  conducting  security  and  internal 
control  audits  of  sensitive  data  processing  systems.  Using  a 
case  study  approach,  the  course  illustrates  how  to  identify  and 
quantify  the  vulnerabilities  of  automated  systems  to  fraud, 
disclosure,  delay,  and  other  threats.  The  internal  control 
techniques  which  can  be  applied  to  address  these  vulnerabilities 
are  discussed,  as  well  as  the  requirements  of  OMB  circulars  A- 127 
and  A- 130. 
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COURSE  ITI  LE:  Data  Center  Security  And  Auditability 
COURSE  LENGTH:  2 DAY 


VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

As  an  auditor  in  today’s  business  environment,  you  must  be 
familiar  with  the  information  processing  function.  In  this 
seminar  you  will  learn  the  components  of  a data  center  and  the 
controls  necessary  to  ensure  accurate  and  reliable  processing. 

The  course  covers  data  center  operations,  administration, 
scheduling,  physical  and  data  security,  program  change  control, 
incident  reporting,  disaster  recovery,  and  more.  The  seminar 
focus  is  on  mainframe  data  centers,  but  includes  security  and 
audit  responsibilities  for  mini  and  microcomputer  environments  as 
well.  Participants  should  have  attended  EDP  Auditing  and  Controls 
or  Auditing  Advanced  Computer  Applications. 


COURSE  TITLE:  Audit  & Security  of  DB2 
COURSE  LENGTH:  3 DAY 

VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

In  this  course  you  will  learn  how  IBM’s  newest  relational  data 
base  operates  and  how  it  affects  the  integrity,  security,  and 
control  of  application  systems.  You  will  first  gain  a thorough 
understanding  of  the  specific  ways  in  which  DB2  exposes  your 
organization  to  threats  such  as  data  security,  integrity, 
reliability,  backup  and  recovery.  You  will  then  learn  specific 
audit  controls  to  employ  to  reduce  those  risks.  You  will  leave 
the  seminar  knowing  all  the  control  points  and  retrieval 
utilities  that  are  available  within  DB2.  More  importantly,  you 
will  take  back  to  the  job  a tested  audit  approach  to  use  in  your 
DB2  environment. 
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COURSE  TITLE:  Audit  & Security  Concepts:MVS  Operating  System 
COURSE  LENGTH:  3 DAY 


VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

In  this  intensive  course  you  will  learn  the  concepts  of 
integrity,  security  and  reliability  that  influence  aU  versions 
of  the  MVS  operating  system.  IBM’s  stated  goals  and  general 
design  philosophy  of  MVS  will  prepare  you  for  future  changes  in 
MVS  and  MVS/ESA.  Application  of  these  principles  will  allow  you 
to  detect  policy  or  legal  violations  against  programs  or  data. 

Where  appropriate,  examples  for  all  versions  of  MVS  will 
demonstrate  these  principles.  The  course  presents  a foolproof 
methodology  for  conducting  a successful  MVS  operating  system 
review.  You  wiU  develop  a skeletal  program  for  the  review  and 
specific  questions  to  ask  in  each  area.  The  procedures  and 
techniques  you  learn  in  this  seminar  will  give  you  a 50%  start  on 
the  review  of  your  MVS  operating  system.  Participants  in  this 
course  should  have  attended  OS/MVS  Operating  System: Security  and 
Audit  or  have  technical  experience  in  the  MVS  environment, 
including  familiarity  with  TSO  and  the  use  of  IBM  utilities. 
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COURSE  ITl'LE:  Data  Security  Planning 
COURSE  LENGTH:  3 DAY 


VENDOR 

IBM  Management  Institute 
19th  Floor 
Chicago,  IL  60611 
(312)  245-3791 

This  course  incorporates  the  latest  thinking  on  data  security 
planning  and  discusses  practical  methods  used  by  leading 
companies.  It  presents  the  policies  and  guidelines  of  IBM  and 
other  organizations  to  help  resolve  the  issues  facing  you  and 
your  organization.  This  course  should  be  attended  by  staff  or 
line  management  responsible  for  implementing  or  enhancing  the 
data  security  program.  It  is  also  intended  for  data  security 
administrators,  auditors  and  others  with  a specific  interest  in 
data  security.  This  is  a management  course,  not  a technical 
course.  It  is  appropriate  for  organizations  with  large  or  small 
DP  installations. 


COURSE  TITLE:  Information  Risk  Assessment  & Security  Management 
COURSE  LENGTH:  1 SEM 

VENDOR 

University  of  Maryland,University  Coll 
University  Boulevard  at  Adelphi  Road 
College  Park,  MD  20742-1614 
(301)  985-7155 

An  examination  of  the  proliferation  of  corporate  data  bases  and 
the  development  of  telecommunications  network  technology  as 
gateways  or  invitations  to  intrusion.  Ways  of  investigating  the 
management  of  the  risk  and  security  data  and  data  systems  are 
presented  as  a function  of  design  through  recovery  and 
protection.  Issues  of  risk  and  security,  as  they  relate  to 
specific  industries  and  government,  are  major  topics  in  the 
course.  Examples  are  presented  of  how  major  technological 
advances  in  computer  and  operating  systems  have  placed  data,  as 
tangible  corporate  assets,  at  risk.  Both  quantitative  sampling 
techniques  for  risk  assessment  and  for  qualitative 
decision-making  under  uncertainty  are  explored. 
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COURSE  TITLE:  Computer  VinisesiDetect,  Prevent,  Cure  Infections 
COURSE  LENGTH:  2 DAY 


VENDOR 

CENTER  for  Adv.  Professional  Develop. 

1820  E.  Garry  St. 

Santa  Ana,  CA  92705 
(714)  261-0240 

Most  of  those  who  work  with  computers  are  aware  of  the  existence 
of  something  called  "computer  virus,"  and  the  fact  that  it  may  be 
a danger  to  their  computers  or  data.  But  it  is  hard  to  get  good 
answers  to  the  questions  of  what,  exactly,  a virus  is,  how  great 
a danger  it  represents,  and  how  to  defend  against  any  damage  it 
might  cause.  Covering  technical  details  where  necessary,  but 
always  in  non-technical  language,  this  course  will  tell  you  what 
viri  are,  how  they  attack,  how  you  can  defend  against  them,  and 
what  the  existence  of  viri  mean  to  you  and  your  use  of  computers. 
The  course  will  give  you  a complete  overview  of  all  known  ways 
that  viri  have  "reproduced,"  and  the  various  types  of  damage  they 
have  done.  New  viri  are  constantly  being  written  so  the  course 
is  constantly  being  updated,  and  research  into  ways  that  viri 
could  attack,  but  haven’t  yet,  will  be  reported. 
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COURSE  TITLE:  UNIX  Systems  Security 
COURSE  LENGTH:  3 DAY 


VENDOR 

Trainix 

1686  Bismark  Drive 
Deltona,  FL  32723 
(904)  789-1769 

This  course  discusses  UNIX  security  and  how  system  managers  and 
administrators  can  implement  security  measures  on  UNIX.  The 
focus  of  the  course  is  on  the  inherent  security  vulnerabilities 
commonly  found  on  UNIX  systems  and  how  to  correct  them.  Examples 
are  presented  which  illustrate  how  to  insure  a high  level  of 
security  confidence  against  unauthorized  users  from  accessing  the 
system.  The  common  methods  used  to  penetrate  UNIX  systems,  gain 
unauthorized  root  access  permission,  become  another  user,  plant 
trojan  horses  or  spoofs,  and  other  ways  of  circumventing  the 
normal  system  protection  are  disclosed.  Each  attendee  will 
receive  detailed  audit  checklists  and  a diskette  containing  UNIX 
shell  and  C programs  which  wiU  assist  in  performing  security 
auditing  and  risk  analysis.  Prerequisites:  UXOOl -Fundamentals  of 
UNIX  and  UX006-UN1X  System  Administration.  A knowledge  of  Shell 
and  C programming  is  helpful. 
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COURSE  TITLE:  Auditing  AS/400:A  Step  By  Step  Approach 
COURSE  LENGTH:  2 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

IBM’s  AS/400  computer  series  is  rapidly  becoming  the  work  horse 
of  the  mini  and  midi  computer  world.  With  a broad  industry  base, 
this  multi  functional  machine  serves  as  a primary  business 
platform,  as  a front  end  processor  or  as  a process  controller. 

This  intensive  seminar  concentrates  on  the  control  and  security 
concerns  relating  to  the  AS/400.  The  participants  will  learn  how 
to  automate  the  audit  using  ROBOT,  utilities  and  AS/400  tools. 

Key  control  points  are  identified  to  enable  auditors  to  focus 
their  efforts  to  ensure  a complete  audit  while  reducing  the  audit 
duration.  Actual  case  studies  are  used  throughout  the  seminar  to 
provide  real  life  examples  to  reinforce  the  audit  programs  and 
techniques. 

COURSE  TITLE:  The  Data  Center: Auditing  For  Profit 
COURSE  LENGTH:  2 DAY 

VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

The  audit  programs  provided  in  this  course  are  specifically 
designed  to  enable  the  participants  to  conduct  the  data  center 
audit  with  little  or  no  need  for  additional  support.  Throughout 
this  session  emphasis  is  placed  on  ensuring  that  appropriate 
preventive  controls  are  in  place  to  prevent  unscheduled 
interruption  of  processing  or  inappropriate  data  access. 

Disaster  contingency  planning  is  discussed  in  depth,  with  each 
participant  receiving  a copy  of  our  general  disaster  recovery 
program.  CANAUDIT  has  also  added  a module  on  out-sourcing  which 
provides  auditors  with  a good  understanding  of  the  concepts  and 
the  related  risks.  As  with  aU  CANAUDIT  courses,  this  seminar 
makes  extensive  use  of  examples  and  classroom  discussion  to 
supplement  the  lecture. 
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COURSE  TITLE:  EDP  Audit  Workshop 
COURSE  LENGTH:  5 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 

Simi  VaUey,  CA  93093 

(805)  583-3723 

This  workshop  is  designed  for  auditors  who  will  be  conducting 
audits  in  a computerized  environment  The  workshop  assumes  no 
prior  knowledge  of  EDP  audit  concepts  or  procedures  and  provide 
participants  with  a sound  understanding  of  the  audit  risks 
relating  to  information  systems.  Once  the  groundwork  is  laid, 
participants  will  learn  the  controls  required  in  computerized 
applications  and  a step  by  step  approach  to  effectively  evaluate 
the  EDP  control  structures.  As  their  understanding  grows, 
participants  will  progress  to  more  complicated  IS  audit  topics 
including  local  area  networks,  data  security,  telecommunications 
networks  and  operating  systems.  Extensive  coverage  of  EDI 
ensures  participants  are  able  to  be  active  members  of  the  EDI 
Implementation  Team  and  ensures  appropriate  controls  are  designed 
into  EDI  applications.  Instructors  for  this  seminar  were 
selected  by  their  extensive  IS  audit  experience  and  their  ability 
to  explain  complex  technology  in  simple  English;  therefore, 
participants  will  be  sure  to  grasp  the  key  concepts. 
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COURSE  TITLE:  Control  and  Security  of  LANS 
COURSE  LENGTH:  3 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

As  local  area  networks  (LAN’s)  permeate  the  organization, 
security  and  control  issues  are  often  ignored.  This  seminar 
takes  a hard  look  at  the  audit  concerns  of  LAN’s  and  how  to 
install  effective  controls  in  this  dynamic  computer  environment 
Participants  wiU  learn  what  can  go  wrong  in  the  LAN  environment 
and  what  preventive  and  detective  controls  are  available  to 
mitigate  control  weaknesses  within  the  LAN  or  from  external 
connections.  LAN  Management  and  the  role  of  the  LAN  officer  is 
discussed  in  detail.  Special  emphasis  is  placed  on  management  of 
the  hardware  and  connectivity  along  with  the  selection  of 
software.  These  key  items  often  limit  the  overall  usefulness  of 
the  LAN  and  inhibit  the  achievement  of  connectivity  and 
productivity  objectives.  Each  participant  will  receive  detailed 
audit  programs,  common  control  weaknesses  and  sample 
recommendations.  These  are  the  key  tools  they  need  to  conduct 
LAN  audits. 
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COURSE  TITLE:  Auditing  Advanced  Information  Technology 
COURSE  LENGTH:  3 DAY 

VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  VaUey,  CA  93093 
(805)  583-3723 

When  CANAUDIT  set  out  to  rewrite  the  popular  ADVANCED  EDP 
AUDITING  seminar,  the  objective  was  to  make  it  the  most 
comprehensive  Information  Systems  audit  course  currently 
available  in  the  public  marketplace.  Only  a completely  new 
seminar,  AUDITING  ADVANCED  INFORMATION  TECHNOLOGY,  could 
incorporate  aU  of  the  enhancements.  AUDITING  ADVANCED 
INFORMATION  TECHNOLOGY  provides  the  Information  Systems  Auditor 
with  the  skills  required  to  perform  audits  of  Operating  Systems, 

Local  Area  Networks,  Wide  Area  Networks,  Access  Security  and  DB2. 

In  addition  to  generic  audit  programs,  participants  wUl  receive 
detailed  product  specific  checklists  for  MVS,  Tandem  VAX,  AS/400 
and  Novell.  These  checklists  will  enable  the  IS  auditor  to 
conduct  audits  of  those  critical  components  of  information 
technology  necessary  to  ensure  their  organization’s  information 
processing  is  secure,  controlled  and  effective.  Emphasis  is 
placed  on  improving  the  quality  of  management  techniques  and 
controls  to  enable  organizations  to  operate  effectively  in 
today’s  complex  information  technology  environment 
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COURSE  ITI  LE:  Auditing  Datacomm  Networks 
COURSE  LENGTH:  3 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

Wide  area  networks  are  the  lifeblood  of  corporate  information 
processing  and  connectivity,  yet  many  organizations  have  yet  to 
do  a complete  audit  of  network  operations  and  management.  This 
seminar  provides  the  IS  auditor  with  a structured  audit  approach 
directed  to  identifying  critical  control  weaknesses  in  the 
network,  the  carriers,  the  media  and  network  management.  Proven 
solutions  to  common  control  weaknesses  wiU  be  provided  to  each 
participant.  Focus  in  this  seminar  is  on  a complete  audit 
approach  for  data  and  voice  communications  from  a security  and 
cost  perspective.  Network  management  tools  and  problem 
resolution  techniques  are  the  cornerstone  of  network  operations. 
Special  emphasis  is  placed  on  using  NETVIEW,  a popular  network 
management  tool  to  identify  network  problems.  Participants  in 
this  session  will  receive  detailed  audit  programs  and  checklists 
which  will  provide  a strong  starting  point  for  their  first 
Network  Audit. 
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COURSE  TITLE:  Auditing  IMS 
COURSE  LENGTH:  3 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  VaUey,  CA  93093 
(805)  583-3723 

This  seminar  examines  the  complexities  of  the  IMS  database 
management  system.  From  a conceptual  overview  of  the  various  IMS 
facilities  to  the  detail  of  important  control  mechanisms  within 
the  IMS  product  software  family,  it  explores  the  impact  of  IMS  on 
the  work  of  the  auditor  and  the  system  development  process.  Upon 
completion  of  this  seminar,  the  participant  will  understand  the 
IMS  environment,  the  theory  and  terminology  and  the  operational 
perspective  of  mnning  IMS  on  a daily  basis.  An  audit  program  is 
discussed  to  enable  participants  to  make  practical  use  of  the 
material  covered  during  the  seminar. 


COURSE  TITLE:  MVS/ESA:An  Audit  Approach 
COURSE  LENGTH:  3 DAY 

VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  VaUey,  CA  93093 
(805)  583-3723 

The  operating  system  is  an  essential  component  of  system  security 
and  control,  this  seminar  explains  MVS/ESA,  its  component  and 
the  security  impUcations  resulting  from  control  weaknesses.  The 
SYSGEN  process,  system  options  and  parameters  are  discussed  as 
they  relate  to  security.  The  usefulness  and  recommended  use  of 
SMP  in  the  change  control  process  is  emphasized.  Management 
procedures  and  the  requirement  for  management  involvement  in  the 
SYSGEN  and  change  process  are  explained  from  an  audit 
perspective.  Each  participant  wiU  receive  an  audit  program  to 
enable  them  to  conduct  a thorough  review  of  MVS/ESA.  they  will 
also  receive  system  utilities  and  JCL  to  enable  them  to  verify 
the  installation  of  system  controls  and  identify  control 
deficiencies.  An  overview  of  system  security  packages  and  how 
they  enhance  total  system  security  is  also  provided. 
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COURSE  TITLE:  Auditing  CICS/ESA 
COURSE  LENGTH:  2 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 

Simi  Valley,  CA  93093 

(805)  583-3723 

Finally,  a course  which  provides  EDP  Auditors  with  a modem 
approach  to  auditing  CICS!  This  seminar  emphasizes  a technical 
audit  of  CICS  with  in-depth  coverage  of  all  the  control  programs 
and  tables.  We  discuss  security  concepts  and  the  impact  of 
security  violations,  along  with  practical  suggestions  for 
implementing  the  security  features  inherent  in  CICS.  Sample 
audit  programs  and  suggested  recommendations  are  provided  to  each 
participant.  Classroom  presentations  and  discussions  enable  the 
participant  to  merge  both  theory  and  practice  into  a unified 
audit  approach.  Critical  audit  issues  such  as  ON-Line  Controls, 
Security  Data  Integrity,  and  Management  Concerns  are  developed 
throughout  the  session  to  enable  auditors  to  explain  the  business 
case  for  control  of  CICS  as  it  applies  to  their  organization. 

Since  many  clients  stiU  have  not  converted  from  CICSWS  to  ESA 
both  version  will  be  covered  during  1991  presentations  of 
AUDITING  CICS/ESA. 
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COURSE  TITLE:  Auditing  VAX: A Comprehensive  Approach 
COURSE  LENGTH:  3 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 

Simi  VaUey,  CA  93093 

(805)  583-3723 

This  session  is  the  most  comprehensive  VAX  Audit  course  currently 
available.  It  is  intended  for  auditors  who  will  be  auditing  the 
VAX  operating  system  and  its  components.  The  seminar  provides 
participants  with  an  understanding  of  the  hardware,  software  and 
security  requirements  as  well  as  depth,  along  with  detailed 
descriptions  of  utilities  and  System  Generation  controls. 

Because  of  the  popularity  of  this  topic,  we  recommend  early 
registration. 

NOTE:We  recommend  that  participants  attend  the  AUDITING  ADVANCED 
INFORMATION  TECHNOLOGY  or  EDP  AUDIT  WORKSHOP  seminars  or  their 
equivalents  prior  to  attending  this  course. 

COURSE  TITLE:  Auditing  Decnet 
COURSE  LENGTH:  2 DAY 

VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

Many  Canaudit  clients  use  the  DEC  VAX  as  an  integral  part  of 
extensive  network  applications.  It  is  essential  that  these 
applications  be  secure  and  that  communications  be  safe  and 
confidential,  this  seminar  is  specifically  designed  for  Canaudit 
clients  using  DECnet,  the  primary  communications  architecture  for 
Digital  networks.  Complete  coverage  of  all  aspects  of  DECnet 
security  including  network  implementations.  Network  Control 
Program  and  network  access  control  methodologies  is  included  in 
this  concentrated  seminar.  AU  participants  will  learn  the 
critical  control  features  of  DECnet  and  how  to  evaluate  the 
control  structure.  In  addition  they  will  receive  complete  audit 
programs  and  utilities  to  automate  much  of  the  audit. 

NOTE:AUDITING  VAX:A  COMPREHENSIVE  APPROACH  is  the  prerequisite 
for  this  course. 
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COURSE  TITLE:  Auditing  Tandem 
COURSE  LENGTH:  2 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

Tandem  computers  have  successfully  penetrated  the  computing 
marketplace.  From  their  start  as  a fault  tolerant  machine. 

Tandems  are  now  the  processing  platform  of  choice  in  several 
industries.  Traditionally  used  in  banking.  Tandems  are  now  widely 
used  in  manufacturing,  research  and  as  business  processors  for 
critical  application  processing.  The  widespread  use  of  Tandems 
in  networked  environments  make  them  a target  for  viral  and  hacker 
attacks.  As  a result,  the  need  for  security  and  control  for 
these  systems  has  never  been  greater,  yet  many  CANAUDIT  clients 
have  not  implemented  the  security  and  controls  provided  as  part 
of  the  Tandem  operating  system.  This  seminar  will  enable 
participants  to  perform  a complex  security  review  of  the  Tandem 
operating  system  and  security  functions.  The  instructor  explains 
potential  security  pitfalls  and  control  weaknesses  in  depth  and 
provides  participants  with  Tandem  utilities  designed  to  probe  the 
system  to  detect  control  weaknesses.  Participants  will  learn 
proven  techniques  to  remedy  security  and  control  weaknesses  and 
how  to  install  them. 

NOTE: We  recommend  that  auditors  attend  the  AUDITING  ADVANCED 
INFORMATION  SYSTEMS  or  the  EDP  AUDIT  WORKSHOP  seminars  or  their 
equivalents  prior  to  attending  this  session. 


116 


COURSE  TITLE:  Information  Systems  Seminar  For  Internal  Auditors 
COURSE  LENGTH:  5 DAY 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

This  introductory  seminar  of  computer  concepts  and  controls  is 
designed  for  the  MIS  or  internal  auditing  professional  who  needs 
to  leam  about  basic  computer  concepts,  computer  controls  and 
security,  system  Life  cycle  planning  and  control,  and  contingency 
planning.  Individuals  with  these  backgrounds  who  complete  this 
seminar  will  be  exposed  to  every  major  aspect  of  information 
systems  auditing  and  should  be  able,  with  the  tools  provided  in 
the  seminar,  to  perform  basic  IS  Audits.  In  addition,  the 
seminar  will  emphasize  how  ISA  is  integrated  with  the  internal 
audit  process.  This  is  a five-day,  classroom  program  consisting 
of  stand-alone  modules  that  can  be  presented  as  a whole  or  in 
shorter-duration  programs.  Call  the  vendor  for  more  information 
regarding  the  following  modules  that  have  been  selected  for  this 
particular  training  area: 

Module  6-Overview  of  Computer  Operations 
Module  9-Organization  and  Administration 
Module  10- System  Development  Life  Cycle 
Module  11 -Change  Control  and  Management 
Module  13-"The  Time  Bomb" 

Module  14- Access  Control 
Module  16-Program  Execution 
Module  17-Contmuity  of  Operations 
Module  20-Data  Bases 
Module  21 -Minicomputer  Systems 
Module  22-Microcomputer  Systems 
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COURSE  TITLE:  EDP  Concepts  For  Business 
COURSE  LENGTH:  SELF-PACED 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

EDP  Concepts  for  Business  is  an  interactive  computer-based 
training  (CBT)  program.  The  student  receives  information  and  is 
coached  based  upon  the  answers  to  teaching  questions.  This  was 
designed  to  involve  the  student,  be  flexible,  and  be  responsive 
to  the  student’s  needs;  this  format  focuses  on  the  student.  You 
need  only  an  IBM  PC,  XT,  AT,  or  any  IBM-compatible  microcomputer 
with  at  least  192K  memory.  CaU  the  vendor  for  more  information 
regarding  the  following  modules  that  have  been  selected  for  this 
particular  training  area: 

Module  2-Data  and  Data  Processing 
Module  3-Programs  and  Languages 


COURSE  TITLE:  Microcomputer  Security 
COURSE  LENGTH:  2 HRS 

VENDOR 

Booz- Allen  & Hamilton  Inc. 

4330  East  West  Highway 
Bethesda,  MD  20814-4455 
Victor  Marshall 
(301)  951-4672 

The  purpose  of  this  microcomputer  security  course  is  to  sensitize 
participants  to  the  need  for  microcomputer  security  and  to 
provide  each  individual  with  some  practical  tools  to  protect 
their  microcomputer  assets,  especially  the  stored  information. 

The  course  provides  practical  information  on  computer  security 
that  microcomputer  users  can  implement  immediately. 
NOTE:Contact  the  vendor  for  information  concerning  specialized 
agency  training. 
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CONTINGENCY  PLANNING 
FOR  IRM,  SECURITY,  AND  AUDIT 


COURSE  rirLE:  Data  Center  Security  And  Auditability 
COURSE  LENGTH:  2 DAY 

VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

As  an  auditor  in  today’s  business  environment,  you  must  be 
familiar  with  the  information  processing  function.  In  this 
seminar  you  wiU  learn  the  components  of  a data  center  and  the 
controls  necessary  to  ensure  accurate  and  reliable  processing. 

The  course  covers  data  center  operations,  administration, 
scheduling,  physical  and  data  security,  program  change  control, 
incident  reporting,  disaster  recovery,  and  more.  The  seminar 
focus  is  on  mainframe  data  centers,  but  includes  security  and 
audit  responsibilities  for  mini  and  microcomputer  environments  as 
well.  Participants  should  have  attended  EDP  Auditing  and  Controls 
or  Auditing  Advanced  Computer  Applications. 


COURSE  TITLE:  Disaster  Recovery  Planning 
COURSE  LENGTH:  3 DAY 

VENDOR 

IBM  Management  Institute 
19th  Floor 
Chicago,  IL  60611 
(312)  245-3791 

The  real  objective  is  to  develop  and  maintain  recovery  capability 
- not  just  for  DP  but  - for  the  applications  critical  to  the 
conduct  of  business.  It  is  easier  and  cheaper  to  do  this  right. 

This  course  is  designed  for  those  who  wish  to  understand  the 
issues,  the  alternatives,  those  who  have  to  put  a recovery 
capability  into  place.  Teams  from  both  the  DP  and  user 
communities  are  encouraged  to  attend  together.  This  is  a 
management  course,  not  a technical  course  and  the  strategies 
discussed  are  independent  of  any  particular  hardware  of  software. 
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COURSE  TITLE:  Computer  Security  & Contingency  Planning 
COURSE  LENGTH:  3 DAY 

VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  VaUey,  CA  93093 
(805)  583-3723 

Security  Administration  is  now  a reality  in  many  organizations. 
Other  companies  that  do  not  currently  have  a security 
administration  function  are  considering,  or  are  in  the  process  of 
creating  the  security  function.  This  seminar  is  designed  to 
remove  the  mystery  surrounding  data  security,  and  to  provide 
participants  with  a proven  approach  to  securing  their  computer 
systems.  At  the  end  of  the  session,  participants  will  understand 
security  administration  and  the  critical  items  that  must  be 
included  to  enable  the  function  to  perform  effectively.  They 
will  be  able  to  classify  data  by  criticality  and  confidentiality. 

They  will  have  an  understanding  of  logical  access  security, 
disaster  contingency  planning,  and  how  to  develop  and  implement 
security  procedures  in  their  organization. 
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COURSE  ITILE:  The  Data  Center:Auditmg  For  Profit 
COURSE  LENGTH:  2 DAY 


VENDOR  . 

Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

The  audit  programs  provided  in  this  course  are  specifically 
designed  to  enable  the  participants  to  conduct  the  data  center 
audit  with  little  or  no  need  for  additional  support.  Throughout 
this  session  emphasis  is  placed  on  ensuring  that  appropriate 
preventive  controls  are  in  place  to  prevent  unscheduled 
interruption  of  processing  or  inappropriate  data  access. 

Disaster  contingency  planning  is  discussed  in  depth,  with  each 
participant  receiving  a copy  of  our  general  disaster  recovery 
program.  CANAUDIT  has  also  added  a module  on  out-sourcing  which 
provides  auditors  with  a good  understanding  of  the  concepts  and 
the  related  risks.  As  with  all  CANAUDIT  courses,  this  seminar 
makes  extensive  use  of  examples  and  classroom  discussion  to 
supplement  the  lecture. 
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COURSE  TITLE:  Information  Systems  Seminar  For  Internal  Auditors 
COURSE  LENGTH:  5 DAY 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
Louisville,  KY  40232-9691 
(800)  289-5745 

This  introductory  seminar  of  computer  concepts  and  controls  is 
designed  for  the  MIS  or  internal  auditing  professional  who  needs 
to  leam  about  basic  computer  concepts,  computer  controls  and 
security,  system  life  cycle  planning  and  control,  and  contingency 
planning.  Individuals  with  these  backgrounds  who  complete  this 
seminar  will  be  exposed  to  every  major  aspect  of  information 
systems  auditing  and  should  be  able,  with  the  tools  provided  in 
the  seminar,  to  perform  basic  IS  Audits.  In  addition,  the 
seminar  will  emphasize  how  ISA  is  integrated  with  the  internal 
audit  process.  This  is  a five-day,  classroom  program  consisting 
of  stand-alone  modules  that  can  be  presented  as  a whole  or  in 
shorter-diuation  programs.  CaU  the  vendor  for  more  information 
regarding  the  following  modules  that  have  been  selected  for  this 
particular  training  area: 

Module  8-Introduction  to  General  Controls 
Module  17-Continuity  of  Operations 
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COURSE  ITl  LE:  EDP  Concepts  For  Business 
COURSE  LENGTH:  SELF-PACED 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

EDP  Concepts  for  Business  is  an  interactive  computer-based 
training  (CBT)  program.  The  student  receives  information  and  is 
coached  based  upon  the  answers  to  teaching  questions.  This  was 
designed  to  involve  the  student,  be  flexible,  and  be  responsive 
to  the  student’s  needs;  this  format  focuses  on  the  student.  You 
need  only  an  IBM  PC,  XT,  AT,  or  any  IBM-compatible  microcomputer 
with  at  least  192K  memory.  Call  the  vendor  for  more  information 
regarding  the  following  module  that  has  been  selected  for  this 
particular  training  area; 

Module  6-Access  Control  and  Security 


COURSE  TITLE:  Microcomputer  Security 
COURSE  LENGTH:  2 HRS 

VENDOR 

Booz-Allen  & Hamilton  Inc. 

4330  East  West  Highway 
Bethesda,  MD  20814-4455 
Victor  Marshall 
(301)  951-4672 

The  purpose  of  this  microcomputer  security  course  is  to  sensitize 
participants  to  the  need  for  microcomputer  security  and  to 
provide  each  individual  with  some  practical  tools  to  protect 
their  microcomputer  assets,  especially  the  stored  information. 

The  course  provides  practical  information  on  computer  security 
that  microcomputer  users  can  implement  immediately. 
NOTEiContact  the  vendor  for  information  concerning  specialized 
agency  training. 
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SYSTEMS  LIFE  CYCLE  MANAGEMENT 
FOR  IRM,  SECURITY,  AND  AUDIT 


COURSE  ITILE:  AIS  Security  Strategies 
COURSE  LENGTH:  8 DAY 

VENDOR 

Information  Resources  Management  Coll. 

Bldg.  175,  Washington  Navy  Yard 
Washington,  DC  20374-5086 
(202)  433-4611 

The  course  covers  Automated  Information  System  (AIS)  security 
concepts,  safeguard  and  risk  analysis  methods,  and  trusted 
computer  system  approaches.  The  course  focuses  on  the 
incorporation  of  these  concepts,  methods,  and  approaches  into 
AISs  during  the  design,  development  and  procurement  phases  of  the 
life  cycle  management  process.  The  course  also  covers  security 
methods,  procedures  and  techniques  that  are  used  to  ensure  the 
viability  of  a major  AIS,  and  the  security  implications  of 
functional  and  technical  alternatives. 


COURSE  TITLE:  Risk  Assessment  Techniques  For  Auditors 
COURSE  LENGTH:  2 DAY 

VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

In  this  seminar  you  will  learn  how  to  design  or  select  and 
implement  a system  for  preparing  your  annual  audit  plan.  You 
will  learn  ways  to  define  an  audit  universe  and  auditable  units. 
The  risk  concepts  and  methods  you  will  learn  will  reduce  your 
subjectivity  and  improve  your  efficiency  and  effectiveness  in 
determining  which  audits  to  do  when.  The  program  examines 
techniques  used  by  audit  organizations  today  and  compares 
strengths  and  weaknesses  of  the  various  methods.  You  will  learn 
risk  assessment,  priority  setting  and  decision  making  skills  that 
wiU  enable  you  to  develop  effective  annual  audit  plans  based 
upon  risk. 
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COURSE  TITLE:  Performing  Audits  of  MIS  Systems  Development  Process 
COURSE  LENGTH:  3 DAY 


VENDOR 

USDA,  Graduate  School 
600  Maryland  Ave,  SW 
Washington,  DC  20024 
(202)  447-7124 

Developing  automated  information  and  control  systems  is  a 
critical  costly  and  complex  undertaking  for  any  organization.  It 
is  also  an  effort  that  is  fraught  with  problems  if  not  managed 
properly.  This  course  will  provide  auditors  in  both  the  public 
and  private  sectors  with  an  understanding  of  the  systems 
development  life  cycle;  a knowledge  of  problems  that  can  and  have 
been  encountered  in  developing  systems  and  the  causes  of  such 
problems;  and  a methodology  for  auditing  the  systems  development 
process  and  providing  management  with  focused  recommendations  to 
prevent  systems  development  efforts  from  failing. 

NOTEiThis  course  is  designed  for  all  auditors  who  are  or  will  be, 
involved  in  audits  of  systems  prior  to  installation  into 
production.  At  least  three  years  of  auditing  experience  is 
required. 


COURSE  TITLE:  UPSiDesign,  Selection  and  Specification 
COURSE  LENGTH:  2 DAY 

VENDOR 

University  of  Wisconsin,  Milwaukee 
929  North  6th  Street 
Milwaukee,  WI  53203 
(800)  222-3623 

Program  objectives  of  this  institute  will  have  been  accomplished 
if,  upon  completion,  the  attendee  can  answer  satisfactorily  the 
following  questions:  Where  is  UPS  needed?  When  is  UPS  needed? 
Should  the  system  be  redundant?  How  should  components  be  chosen? 
How  is  a system  designed?  What  level  of  protection  is 
appropriate?  What  are  the  system  maintenance  requirements?  What 
grounding  and  noise  problems  need  consideration?  How  can 
satisfactory  performance  be  achieved  while  satisfying  the  NEC? 
NOTEiPrevious  attendees  will  find  that  material  has  been  added  to 
the  program  since  they  last  attended. 
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COURSE  TITLE:  Information  Systems  Seminar  For  Internal  Auditors 
COURSE  LENGTH:  5 DAY 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

This  introductory  seminar  of  computer  concepts  and  controls  is 
designed  for  the  MIS  or  internal  auditing  professional  who  needs 
to  learn  about  basic  computer  concepts,  computer  controls  and 
security,  system  life  cycle  planning  and  control,  and  contingency 
planning.  Individuals  with  these  backgrounds  who  complete  this 
seminar  will  be  exposed  to  every  major  aspect  of  information 
systems  auditing  and  should  be  able,  with  the  tools  provided  in 
the  seminar,  to  perform  basic  IS  Audits.  In  addition,  the 
seminar  will  emphasize  how  ISA  is  integrated  with  the  internal 
audit  process.  This  is  a five-day,  classroom  program  consisting 
of  stand-alone  modules  that  can  be  presented  as  a whole  or  in 
shorter-duration  programs.  Call  the  vendor  for  more  information 
regarding  the  following  modules  that  have  been  selected  for  this 
particular  training  area: 

Module  8-Introduction  to  General  Controls 
Module  10- System  Development  Life  Cycle 
Module  11 -Change  Control  and  Management 


126 


COURSE  ri  TLE:  EDP  Concepts  For  Business 
COURSE  LENGTH:  SELF-PACED 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

EDP  Concepts  for  Business  is  an  interactive  computer-based 
training  (CBT)  program.  The  student  receives  information  and  is 
coached  based  upon  the  answers  to  teaching  questions.  This  was 
designed  to  involve  the  student,  be  flexible,  and  be  responsive 
to  the  student’s  needs;  this  format  focuses  on  the  student.  You 
need  only  an  IBM  PC,  XT,  AT,  or  any  IBM-compatible  microcomputer 
with  at  least  192K  memory.  Call  the  vendor  for  more  information 
regarding  the  following  module  that  has  been  selected  for  this 
particular  training  area: 

Module  4-The  System  Development  Life  Cycle 

COURSE  TITLE:  Operating  System  Security  Concepts 
COURSE  LENGTH:  5 DAY 

VENDOR 

National  Security  Agency 
Auport  Square 
Baltimore 
(301)  859-6417 

An  introduction  to  operating  system  concepts  and  terminology  in 
computer  security  mechanisms.  These  concepts  include  operating 
system  services,  structures  and  processes;  design  principles; 
architectures;  hardware  security  mechanisms;  file  systems;  domain 
mechanisms;  memory  mapping;  and  device  drivers.  Specific 
threats,  vulnerabilities  and  derived  countermeasures  to 
operating  system  security  are  emphasized.  Specific  case  studies, 
e.g.,  MS/DOS,  OS/2,  MULTICS,  UNIX,  VAX/VMS,  SCOMP  and  a variety 
of  distributed  operating  systems.  Problems  and  group  exercises 
reinforce  class  presentations.  Prerequisites:  Bachelor’s  degree 
in  Computer  Science/Electrical  Engineering/Mathematics  or 
equivalent  experience.  Experience  developing  software  employing 
operating  systems  capabilities  is  desirable. 

NOTE:  This  course  is  technical  in  nature.  Call  the  vendor 
regarding  a clearance. 
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COURSE  TITLE:  Trusted  Systems  Criteria  and  Concepts 
COURSE  LENGTH:  5 DAY 


VENDOR 

National  Security  Agency 
Airport  Square 
Baltimore 
(301)  859-6417 

A study  which  examines  the  principles  and  technology  underlying 
the  DoD  Trusted  Computer  System  Evaluation  Criteria  (TCSEC)^  and 
the  related  topics  of  trusted  system  evaluations  and 
accreditation.  Specific  topics  include  basic  principles  of 
trusted  systems,  mandatory  and  discretionary  access  control  (MAC 
& DAC),  user  accountability,  security  architectures,  formal 
seciuity  models,  TCSEC  interpretations  and  other  assurance 
techniques.  Students  examine  how  to  build  secure  applications 
for  a trusted  system  without  invalidating  the  system’s 
evaluation.  Students  reinforce  class  presentations  by  using  the 
Xenix  2 software  package  in  laboratory  exercises.  Prerequisites; 
Familiarity  with  operating  systems  and  a Bachelor’s  degree  in 
Computer  Science/Electrical  Engineering/Mathematics  or  equivalent 
experience. 

NOTE:  This  course  is  technical  in  nature.  Call  the  vendor 
regarding  a clearance. 


128 


COURSE  TITLE:  Theoretical  Foundation/Trust  of  Information  Systems 
COURSE  LENGTH:  5 DAY 


VENDOR 

National  Security  Agency 
Airport  Square 
Baltimore 
(301)  859-6417 

A study  of  fundamental  concepts  of  models  in  computer  security. 
Develops  techniques  necessary  to  identify  and  describe  problems  in 
computer  security  using  mathematical  and  logical  concepts. 
Addresses  the  development  of  a formal  model  for  computer 
security,  demonstrates  that  the  model  is  consistent  with  its 
axioms  and  that  the  model  is  used  in  designing  secure  systems. 
Instruction  covers  classic  Bell  La  Padula  (BLP)  model,  as  weU  as 
access  control,  information  flow,  non-interference,  concurrence, 
network  security  and  take-grant  models.  Surveys  newer  models: 
database,  integrity  and  event-based.  Prerequisites:  CP-510  and  a 
Bachelor’s  degree  in  Computer  Science/Electrical 
Engineering/Mathematics  of  equivalent  experience.  Familiarity 
with  mathematical  logic  is  desirable. 

NOTE:  This  course  is  technical  in  nature.  Call  the  vendor 
regarding  a clearance. 
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COURSE  ITl’LE:  Architecture  for  Secure  Systems 
COURSE  LENGTH:  5 DAY 


VENDOR 

National  Security  Agency 
Auport  Square 
Baltimore 
(301)  859-6417 

A study  of  the  basic  architectural  features  to  support  secure 
computer  systems.  Using  requirements  of  trusted  computer  systems 
evaluation  criteria,  the  student  will  study  design  and 
implementation  of  various  protection  systems  by  addressing 
required  protection  and  domain  separation  mechanisms. 
Prerequisites:  CP-510  and  a firm  understanding  of  the  Bell  La 
Padula  Model.  A Bachelor’s  degree  in  Computer  Science/Electrical 
Engineering/Mathematics  or  equivalent  experience.  Experience  in 
developing  software  using  operating  systems  capabilities  is 
desirable. 

NOTE:  This  course  is  technical  in  nature.  Call  the  vendor 
regarding  a clearance. 
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COURSE  rULE:  Network  Security  Architecture 
COURSE  LENGTH:  2 DAY 


VENDOR 

National  Security  Agency 
Airport  Square 
Baltimore 
(301)  859-6417 

A study  covering  networking  and  protocol  concepts  important  for 
building  secure  systems  in  a variety  of  areas  including:  (1) 
network  security  concepts  related  to  different  types  of  computer 
networks  (2)  layered  protocol-security  in  general  and  the  OSI 
Reference  Model  in  particular  (3)  the  Government  Open  Systems 
Interconnection  Profile  (GOSIP),  including  a description  of  the 
security  options  supported  (4)  OSI  Security  Architecture, 
describing  the  OSI  security  services,  mechanisms  and  management 
(5)  network  security  design  factors  for  confidentiality, 
integrity  and  assured  service.  Prerequisites:  Bachelor’s  degree 
in  Computer  Science/Electrical  Engineering/Mathematics  or 
equivalent  experience.  Familiarity  with  data  communications  and 
computer  security  concepts/terminology  is  desirable. — CP-533 
and  535  are  specifically  structured  to  present  a complete 
component  of  network  information  during  a five-day  week;  we 
highly  recommend  students  take  both  courses. 

NOTE:  This  is  technical  in  nature.  Call  the  vendor  regarding  a 
clearance. 
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COURSE  ITl  LE:  Advanced  Network  Security  Architecture 
COURSE  LENGTH:  3 DAY 


VENDOR 

National  Security  Agency 

Airport  Square 

Baltimore 

(301)  859-6417 

A study  covering  advanced  secure  network  and  protocol  concepts 
important  for  building  secure  systems  in  a variety  of  areas 
including:  (1)  the  OSI  Security  Architecture  (2)  detailed 
protocol  descriptions  (i.e.,  IEEE  802  Standards;  data  link 
protocols,  X.25  and  related  standards;  Transmission  Control 
Protocol/Intemet  Protocol  (TCP/IP);  Security  Protocol  4 
(SP4)/Security  Protocol  3 (SP3);  File  Transfer,  Access  and 
Management  (FTAM)  Protocol;  and  Key  Management  Protocol  (KMP)) 

(3)  Secure  network  performance  analysis  using  probability  theory, 
queuing  theory  and  simulation  (4)  Integrated  Services  Digital 
Network  (ISDN)  and  its  relationship  to  computer  security  and  the 
OSI  Reference  Model  (5)  security  services  provided  by  protocols 
such  as  confidentiality,  integrity  and  assured  service  (6) 
specific  network  applications  including  SDNS,  BLACKER,  CANEWARE, 
IBM’s  SNA,  Novell’s  NetWare,  Defense  Data  Network  (DDN),  FTS  2000 
and  Electronic  Data  Interchange  (EDI).  Prerequisites:  CP-533  and 
a Bachelor’s  degree  in  Computer  Science/Electrical 
Engineering/Mathematics  or  equivalent  experience. — CP-533  and 
535  are  specifically  structured  to  present  a complete  component 
of  network  information  during  a five-day  week;  we  highly 
recommend  students  take  both  courses. 

NOTE:  This  course  is  technical  in  nature.  Call  the  vendor 
regarding  a clearance. 
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COURSE  Tri’LE:  Model  Interpretations 
COURSE  LENGTH:  5 DAY 


VENDOR 

National  Security  Agency 
Airport  Square 
Baltimore 
(301)  859-6417 

A study  covering  the  interpretation  and  subsequent  application  of 
the  rules  of  formal  security  policy  models.  Student  will  compare 
(map)  these  rules  to  a system’s  software  to  ensure  that  the 
system’s  performance  accurately  complies  with  the  formal  models. 
Comparison  will  require  application  of  these  rules  to  lower 
specification  levels  of  both  operating  systems  and  hardware 
architectures.  Course  will  also  cover  state-of-the-art 
applications  of  formal  models.  Prerequisites:  CP-510,  520  and 
530.  Bachelor’s  degree  in  Computer  Science/Electrical 
Engineering/Mathematics  or  equivalent  experience.  Experience 
with  mathematical  logic  is  desirable. 

NOTE:  This  course  is  technical  in  nature.  Call  the  vendor 
regarding  a clearance. 

COURSE  TITLE:  Introduction  to  Software  Verification 
COURSE  LENGTH:  15  DAY 

VENDOR 

National  Security  Agency 
Airport  Square 
Baltimore 
(301)  859-6417 

A study  covering  the  state-of-the-art  in  verification  techniques 
and  practice  using  two,  endorsed  NCSN  verification  tools. 
Techniques  include  a comparison  between  code  and  design 
verification.  Student  will  read,  write  and  execute  basic 
specifications  and  understand  first-order  logic  and  verification 
systems.  Student  will  develop  and  prove  properties  of  formal 
specifications.  Prerequisites:  MP470  or  working  knowledge  in 
predicate  calculus  and  first-order  logic,  CP-510  and  a Bachelor’s 
degree  in  Computer  Science/Electrical  Engineering/Mathematics  or 
equivalent  experience. 

NOTE:  This  course  is  technical  in  nature.  Call  the  vendor 
regarding  a clearance. 
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COURSE  TITLE:  INFOS  EC  Evaluations  Using  Formal  Methods 
COURSE  LENGTH:  5 DAY 


VENDOR 

National  Security  Agency 
Airport  Square 
Baltimore 
(301)  859-6417 

A study  covering  the  verification  paradigm  in  detail;  derivation 
of  the  security  policy  and  its  corresponding  formal  model; 
formulation  of  a Formal  Top  Level  Specification  (FTLS)  and 
Descriptive  Top  Level  Specification  (DTLS);  and  mapping  of  the 
FTLS  to  implementation.  Each  of  the  parts  of  the  paradigm  will 
be  investigated  in  terms  of  content  and  sufficiency  to  meet  the 
design  specification  and  verification  requirements  for  the 
information  security  system  being  developed.  Examples  will  cover 
how  verification  can  be  used  with  cryptographic  Communications 
Security  (COMSEC)  products.  Prerequisites:  CP-510  and  a 
Bachelor’s  degree  in  Computer  Science/Electrical 
Engineering/Mathematics  of  equivalent  experience.  Knowledge  of 
mathematical  logic  is  desirable. 

NOTE:  This  course  is  technical  in  nature.  Call  the  vendor 
regarding  a clearance. 
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COMPUTER  SECURITY  BASICS 
FOR  ADP  MANAGEMENT  AND  OPERATIONS 


COURSE  TITLE:  Becoming  Effective  Data  Security  Officer 
COURSE  LENGTH:  3 DAY 

VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

As  a Data  Security  Officer,  you  may  be  responsible  for  creating  a 
data  security  program  or  administering  and  improving  one  already 
in  place.  To  a great  extent,  you  will  be  defining  your  own  role 
as  you  proceed.  But  where  do  you  begin?  What  skills  do  you  need 
to  do  the  job?  Where  do  you  get  the  information  to  enhance  your 
own  skills?  Who  are  the  "key  players"  within  your  organization, 
and  how  do  you  get  them  committed  to  making  security  happen? 
What  are  the  advantages  of  the  job?  The  disadvantages?  How  have 
others  succeeded,  and  what  pitfalls  should  you  avoid?  This 
practical  3-day  program  will  deliver  the  know-how  to  help  you 
become  a more  effective,  proficient,  and  successful  Data  Security 
Officer. 


COURSE  ITILE:  Computer  Security  For  End  Users 
COURSE  LENGTH:  1 DAY 

VENDOR 

USDA,  Graduate  School 
600  Maryland  Ave,  SW 
Washington,  DC  20024 
(202)  447-7124 

This  workshop  will  give  you  an  overview  of  the  threats  to,  and 
vulnerabilities  of,  computer  systems,  and  appropriate  safeguards 
to  protect  those  systems.  We  will  stress  your  role  in  the 
protection  of  sensitive  data,  and  in  the  prevention  and  detection 
of  computer  crime.  You  will  receive  checklists  and  suggestions 
for  becoming  more  aware  of  possible  computer  security  problems  in 
your  office,  and  you  will  be  able  to  get  advice  on  how  to  deal 
with  concerns  that  are  specific  to  your  agency  or  installation. 
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COURSE  ITI  LE:  Computer  Security  Awareness  Training 
COURSE  LENGTH:  3 HRS 


VENDOR 

GSA  Training  Center 
P.O.  Box  15608 
Arlington,  VA  22215-0608 
(703)  557-0885 

Participants  learn  to  be  aware  of  threats  to  and  vulnerabilities 
of  computer  systems,  as  well  as  to  encourage  use  of  improved 
security  practices.  Topics  include:  Computer  Security  Act  of 
1987;  computer  fraud,  waste,  and  abuse;  and  types  of  computer 
hackers.  Also  discussed  are  natural  disasters  and  human  errors 
relating  to  computer  security. 

COURSE  ITl'LE:  Microcomputer  Security 
COURSE  LENGTH:  3 HRS 

VENDOR 

Department  of  Navy 

Navy  Regional  Data  Automation  Center 

San  Diego,  CA  92135-5110 

(202)  223-9669 

This  session  focuses  on  a variety  of  security  issues  found  in  a 
microcomputer  environment.  safegucU'ds  and  controls  for  personal 
computers,  including  physical  protection  measures,  backups,  media 
handling  procedures,  and  security  awareness  programs  are 
described,  as  well  as  user  responsibilities. 
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COURSE  TITLE:  UNIX  Operating  SystemiSecurity  Features 
COURSE  LENGTH:  3 DAY 


VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

This  seminar  identifies  the  weaknesses  of  UNIX  and  shows  you  how 
to  detect  and  prevent  unauthorized  access.  You  wiU  learn  how  to 
set  up,  manage,  and  maintain  an  enforceable  UNIX  security  policy. 
The  course  examines  security  loopholes  and  successful  ways  to  plug 
them.  You  will  learn  what  to  look  for  when  auditing  the  system 
for  suspected  security  violations. 


COURSE  TITLE:  Information  Risk  Assessment  & Security  Management 
COURSE  LENGTH:  1 SEMESTER 

VENDOR 

University  of  Maryland,University  CoU 
University  Boulevard  at  Adelphi  Road 
College  Park,  MD  20742-1614 
(301)  985-7155 

An  examination  of  the  proliferation  of  corporate  data  bases  and 
the  development  of  telecommunications  network  technology  as 
gateways  or  invitations  to  intrusion.  Ways  of  investigating  the 
management  of  the  risk  and  security  data  and  data  systems  are 
presented  as  a function  of  design  through  recovery  and 
protection.  Issues  of  risk  and  security,  as  they  relate  to 
specific  industries  and  government,  are  major  topics  in  the 
course.  Examples  are  presented  of  how  major  technological 
advances  in  computer  and  operating  systems  have  placed  data,  as 
tangible  corporate  assets,  at  risk.  Both  quantitative  sampling 
techniques  for  risk  assessment  and  for  qualitative 
decision-making  under  uncertainty  are  explored. 
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COURSE  ITrLE:  Auditing  AS/400:A  Step  By  Step  Approach 
COURSE  LENGTH:  2 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

IBM’s  AS/400  computer  series  is  rapidly  becoming  the  work  horse 
of  the  mini  and  midi  computer  world.  With  a broad  industry  base, 
this  multi  functional  machine  serves  as  a primary  business 
platform,  as  a front  end  processor  or  as  a process  controller. 

This  intensive  seminar  concentrates  on  the  control  and  security 
concerns  relating  to  the  AS/400.  The  participants  will  learn  how 
to  automate  the  audit  using  ROBOT,  utilities  and  AS/400  tools. 

Key  control  points  are  identified  to  enable  auditors  to  focus 
their  efforts  to  ensure  a complete  audit  while  reducing  the  audit 
duration.  Actual  case  studies  are  used  throughout  the  seminar  to 
provide  real  life  examples  to  reinforce  the  audit  programs  and 
techniques. 

COURSE  rnUE:  The  Data  Center: Auditing  For  Profit 
COURSE  LENGTH:  2 DAY 

VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

The  audit  programs  provided  in  this  course  are  specifically 
designed  to  enable  the  participants  to  conduct  the  data  center 
audit  with  little  or  no  need  for  additional  support.  Throughout 
this  session  emphasis  is  placed  on  ensuring  that  appropriate 
preventive  controls  are  in  place  to  prevent  unscheduled 
intermption  of  processing  or  inappropriate  data  access. 

Disaster  contingency  planning  is  discussed  in  depth,  with  each 
participant  receiving  a copy  of  our  general  disaster  recovery 
program.  CANAUDIT  has  also  added  a module  on  out-sourcing  which 
provides  auditors  with  a good  understanding  of  the  concepts  and 
the  related  risks.  As  with  aU  CANAUDIT  courses,  this  seminar 
makes  extensive  use  of  examples  and  classroom  discussion  to 
supplement  the  lecture. 
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COURSE  ITILE:  EDENew  Frontiers  For  Auditors 
COURSE  LENGTH:  1 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

Electronic  Data  Interchange  is  emerging  as  a major  component  of 
many  financial,  retail  and  manufacturing  applications.  Several 
major  companies  have  made  a public  commitment  to  full  EDI 
implementation  in  the  near  future,  this  technology  presents  the 
auditor  with  many  new  control  and  security  issues  in  auditing  EDI 
applications.  The  elimination  of  physical  transactions  and  paper 
audit  trails  will  force  each  financial  auditor  to  perform 
functions  formerly  done  by  the  EDP  Auditor.  This  session  is 
designed  specifically  for  those  auditors  who  require  a 
comprehensive  audit  approach.  Modules  presented  in  this  seminar 
include  an  overview  of  EDI  technology  and  standards,  critical 
functions  of  EDI,  the  controls  available  in  the  X12  standard  and 
how  to  implement  them.  Each  participant  will  receive  a 
comprehensive  audit  program  as  part  of  the  seminar  handout. 
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COURSE  TITLE:  EDP  Audit  Workshop 
COURSE  LENGTH:  5 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

This  workshop  is  designed  for  auditors  who  will  be  conducting 
audits  in  a computerized  environment  The  workshop  assumes  no 
prior  knowledge  of  EDP  audit  concepts  or  procedures  and  provide 
participants  with  a sound  understanding  of  the  audit  risks 
relating  to  information  systems.  Once  the  groundwork  is  laid, 
participants  will  learn  the  controls  required  in  computerized 
applications  and  a step  by  step  approach  to  effectively  evaluate 
the  EDP  control  structures.  As  their  understanding  grows, 
participants  wiU  progress  to  more  complicated  IS  audit  topics 
including  local  area  networks,  data  security,  telecommunications 
networks  and  operating  systems.  Extensive  coverage  of  EDI 
ensures  participants  are  able  to  be  active  members  of  the  EDI 
Implementation  Team  and  ensures  appropriate  controls  are  designed 
into  EDI  applications.  Instructors  for  this  seminar  were 
selected  by  their  extensive  IS  audit  experience  and  their  ability 
to  explain  complex  technology  in  simple  English;  therefore, 
participants  wiU  be  sure  to  grasp  the  key  concepts. 
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COURSE  TITLE:  Audit  Software rimplementation  of  New  Technology 
COURSE  LENGTH:  2 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  VaUey,  CA  93093 
(805)  583-3723 

Audit  software  is  a tool  that  has  existed  for  many  years,  but 
many  auditors  have  failed  to  fully  utilize  this  valuable  tool 
effectively.  Audit  software  improves  productivity  and  enables 
the  discovery  of  control  weaknesses  that  would  otherwise  go 
undiscovered.  In  the  past,  auditors  have  had  to  rely  on  sampling 
techniques  due  to  file  size  limitations;  but  now  that  we  have 
more  powerful  processors  the  entire  data  base  can  be  read  and 
multiple  tests  performed  on  each  record.  This  greatly  improves 
the  quality  of  the  audit  while  reducing  audit  risk.  In  addition 
to  traditional  uses  of  audit  software,  this  session  introduces 
several  new  audit  software  techniques  such  as  remote  auditing  and 
knowledge  bases.  These  innovative  techniques  enable  broader 
audit  coverage  while  reducing  overall  audit  costs.  Investigative 
software  and  silent  auditing  enable  the  auditor  to  check  system 
integrity  and  detect  potential  fraud  using  the  surprise  audit 
approach.  By  the  end  of  this  extensive  seminar  the  participants 
will  understand  the  potential  of  modem  Computer  Assisted  Audit 
Techniques,  and  how  to  utilize  these  powerful  resources  in  their 
environment. 
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COURSE  ITl'LE:  Information  Systems  Seminar  For  Internal  Auditors 
COURSE  LENGTH:  5 DAY 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
Louisville,  KY  40232-9691 
(800)  289-5745 

This  introductory  seminar  of  computer  concepts  and  controls  is 
designed  for  the  MIS  or  internal  auditing  professional  who  needs 
to  learn  about  basic  computer  concepts,  computer  controls  and 
security,  system  life  cycle  planning  and  control,  and  contingency 
planning.  Individuals  with  these  backgrounds  who  complete  this 
seminar  will  be  exposed  to  every  major  aspect  of  information 
systems  auditing  and  should  be  able,  with  the  tools  provided  in 
the  seminar,  to  perform  basic  IS  Audits.  In  addition,  the 
seminar  will  emphasize  how  ISA  is  integrated  with  the  internal 
audit  process.  This  is  a five-day,  classroom  program  consisting 
of  stand-alone  modules  that  can  be  presented  as  a whole  or 
modules  can  be  selected  to  provide  training  on  specific  subjects 
in  shorter-duration  programs.  Call  the  vendor  for  more 
information  regarding  the  following  modules  that  have  been 
selected  for  this  particular  training  area: 

Module  3-Getting  Started 

Module  5-Overview  of  the  ISA  Function 

Module  6-Overview  of  Computer  Operations 

Module  7- A Management  Approach  to  Computer  Fraud 

Module  8-Introduction  to  General  Controls 

Module  9- Organization  and  Administration 

Module  23-Introduction  to  Application  Control  Reviews 
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COURSE  TITLE:  EDP  Concepts  For  Business 
COURSE  LENGTH:  SELF-PACED 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

EDP  Concepts  for  Business  is  an  interactive  computer-based 
training  (CBT)  program.  The  student  receives  information  and  is 
coached  based  upon  the  answers  to  teaching  questions.  This  was 
designed  to  involve  the  student,  be  flexible,  and  be  responsive 
to  the  student’s  needs;  this  format  focuses  on  the  student.  You 
need  only  an  IBM  PC,  XT,  AT,  or  any  IBM-compatible  microcomputer 
with  at  least  192K  memory.  Call  the  vendor  for  more  information 
regarding  the  following  modules  that  have  been  selected  for  this 
particular  training  area: 

Module  1- Computers  and  Their  Components 
Module  2-Data  and  Data  Processing 
Module  3-Programs  and  Languages 
Module  5 -EDP  Personnel 
Module  6-Access  Control  and  Security 
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COURSE  TITLE:  Computer  Security  Awareness 
COURSE  LENGTH:  1 HR 

VENDOR 

Booz-Allen  & Hamilton  Inc. 

4330  East  West  Highway 
Bethesda,  MD  20814-4455 
Victor  Marshall 
(301)  951-4672 

The  purpose  of  this  course  is  to  provide  participants  with  an 
awareness  of  computer  security,  to  sensitize  them  to  the  need  for 
computer  security  policies  and  practices  in  the  workplace,  and  to 
motivate  each  individual  to  practice  effective  computer  security 
techniques.  The  instructional  content  of  the  course  is  composed 
ofirequirements  of  computer-security-related  laws  and  circulares; 
definitions  and  examples  of  basic  computer  security  terms;  the 
increasing  concern  to  protect  computer  assets;  and  basic 
computer  practices,  controls,  and  countermeasures. 

NOTErContact  the  vendor  for  information  concerning  specialized 
agency  training. 

COURSE  TITLE:  Microcomputer  Security 
COURSE  LENGTH:  2 HRS 

VENDOR 

Booz-Allen  & Hamilton  Inc. 

4330  East  West  Highway 
Bethesda,  MD  20814-4455 
Victor  Marshall 
(301)  951-4672 

The  purpose  of  this  microcomputer  security  course  is  to  sensitize 
participants  to  the  need  for  microcomputer  security  and  to 
provide  each  individual  with  some  practical  tools  to  protect 
their  microcomputer  assets,  especially  the  stored  information. 

The  course  provides  practical  information  on  computer  security 
that  microcomputer  users  can  implement  immediately. 
NOTE:Contact  the  vendor  for  information  concerning  specialized 
agency  training. 
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COURSE  IITLE:  Information  Systems  Security 
COURSE  LENGTH:  1 SEMESTER 


VENDOR 

Anne  Arundel  Community  College 
101  College  Parkway 
Arnold,  MD  21012-1895 
(301)  541-2758 

A survey  of  topics  in  data  retention  and  control  and  techniques 
associated  with  data,  computer  systems,  network  and  installation 
security.  The  student  will  obtain  skills  related  to  occupations 
in  data  libraries  and  data  security  at  computer  installations. 

NOTE:  Three  semester  hours;  prerequisite:  CSI  113  or  permission 
of  department  head. 


COURSE  ITl  LE:  Computer  Security  Awareness 
COURSE  LENGTH:  5-8  HRS 

VENDOR 

DPEC 

1679  Old  Henderson  Road 
Columbus,  OH  43220-3644 
(800)  223-3732 

This  is  a Computer  Based  Training  (CBT)  course  using  the 
framework  of  admirtistrative,  physical  and  logical  security. 
Computer  Security  Awareness  explains  contingency  planning  and 
precautions  against  computer  crime  from  the  viewpoint  of 
mainframe  computers  and  micros;  a computer  security  checklist  is 
included.  This  is  a modular  course  lasting  5-8  hours.  The 
number  of  hours  is  based  upon  a student  interacting  with 
approximately  60-120  screens  per  hour. 
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COURSE  TITLE:  Introduction  to  Computer  Security  for  Managers 
COURSE  LENGTH:  8 HRS 


VENDOR 

Department  of  Justice  Training  Center 
Suite  304,  Indiana  Building 
633  Indiana  Avenue,  NW 
Washington,  DC  20530 
(202)  307-0528 

This  program  is  designed  to  provide  mid-level  managers  with  an 
overview  of  computer  security  program  planning  and  management 
Presentation  will  emphasize  compliance  with  P.L.  100-235  and  other 
laws  and  requirements  for  classified  and  unclassified  systems. 
Discussion  will  emphasize  threats  against  sensitive  systems; 
capabilities  of  potential  adversaries;  asset  value;  sensitivity  and 
definition  of  protection  levels  appropriate  to  the  threat;  contingency 
planning;  and  management  risk  acceptance.  The  course  will  also  cover 
development  of  security  plans,  & implementing  computer  security 
programs  within  budget  and  staff  constraints.  The  objectives  are  to 
familiarize  mid-level  managers  with  computer  security  requirements  and 
responsibilities  and  to  increase  their  awareness  of  the  necessity  for 
computer  security.  Spaces  are  available  to  other  federal  agencies. 
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SECURITY  PLANNING  AND  MANAGEMENT 
FOR  ADP  MANAGEMENT  AND  OPERATIONS 


COURSE  ITl’LE:  Managing  Org-Wide  Information  Security  Program 
COURSE  LENGTH:  3 DAY 

VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

This  program  examines  key  issues  in  building  and  maintaining  a 
security  program  that  serves  more  than  one  division.. .a  program 
that  cuts  across  traditional  boundaries  and  must  deal  with 
geographically  and  organizationally  distinct  units.  Practical, 
cost-effective  ideas  on  how  to  structure  a plan,  tools  for 
evaluating  risks  and  safeguards,  and  ways  to  encourage 
participation  and  commitment  from  aU  levels  of  the  organization. 
Legislative  and  regulatory  pressures  including  but  not  Limited  to 
the  Foreign  Corrupt  Practices  Act,  copyright  protection,  and  the 
Computer  Security  Act  of  1987.  Take-home  materials  include 
articles,  checklists,  forms,  and  information  sources. 
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COURSE  ITI  LE:  Building  Information  Security  Awareness 
COURSE  LENGTH:  2 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

This  seminar  shows  how  to  "educate"  managers,  users,  and  DP 
personnel  on  the  importance  of  protecting  information  resources. 
Top  managers  need  to  know  in  macro,  bottom-line  terms.  Data 
security  professionals  need  detailed  technical  training. 

Computer  users,  operators,  and  programmers  must  be  shown  what 
they  can  do  on  a day-to-day  operational  basis.  This  program 
delivers  practical  ideas  and  techniques  on  how  to  tailor  a 
computer  security  training/orientation  program  to  each  of  these 
diverse  groups.  You  will  learn  how  to  plan  a program.  You  will 
be  shown  what  types  of  information  should  be  gathered  for 
presentation,  how  it  should  be  logically  organized  for  maximum 
impact,  and  which  meeting  and  presentation  techniques  are  most 
effective.  And  finally,  you  will  be  given  specific  ideas  on  how 
to  measure  the  effectiveness  of  your  security  awareness  program. 
As  a "deliverable,"  you  will  develop  an  individualized  training 
plan  to  be  used  in  your  own  environment 
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COURSE  TITLE:  Developing  Computer  Security  Policy  & Procedures 
COURSE  LENGTH:  2 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

This  seminar  is  for  DP  managers,  data  security  managers,  and 
security  officers  responsible  for  developing  computer  security 
policies  and  procedures  and  integrating  them  into  a comprehensive 
data  processing  security  manual.  You  will  learn  how  to  determine 
what  policies  are  needed,  what  areas  a manual  should  cover,  and 
how  to  gather  the  necessary  information.  Two  different 
approaches  - step-by-step  "cookbook"  procedures  vs.  more 
generalized  policy  statements.  How  to  establish  working  liaisons 
with  support  staff  in  other  areas,  what’s  needed  to  get  your 
policies  and  manual  reviewed  and  approved,  and  pitfalls  that  must 
be  avoided.  Critique  actual  samples  of  procedures  and  policies 
currently  in  use. 


COURSE  TITLE:  LAN  Security 
COURSE  LENGTH:  2 DAY 

VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

Local  area  networks  (LANs)  are  significantly  impacting  the  way 
organizations  do  business.  As  more  and  more  critical  work 
migrates  from  mainframes  to  LANs,  the  need  for  better  controls 
becomes  apparent.  Learn  about  the  security  and  control  issues 
involved  with  LANs;  the  types  of  critical  and  sensitive  data  now 
residing  on  LANs;  the  impact  of  loss,  change  or  disclosure;  and 
realistic  remedies  for  identified  vulnerabilities.  How 
transition  technologies,  topologies,  and  architectures  create 
complex  security,  recovery,  and  integrity  problems.  Security 
features  of  popular  LAN  systems  software  and  add-on  packages. 
The  need  for  policies,  procedures,  and  administrative  controls. 
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COURSE  TITLE:  Protecting  Networks  & Small  Systems 
COURSE  LENGTH:  3 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

Widespread  use  of  microcomputers  and  telecommunications 
technology  offers  greater  opportunities  for  increasing 
white-collar  productivity.. .and  the  risk  that  this  technology 
will  proliferate  out  of  control.  This  seminar  provides  a 
security  and  control  perspective  of  the  opportunities  and 
pitfalls  in  this  new  environment.  It  will  be  valuable  for  data 
processing  management,  communications  management  and  specialists, 
office  automation  management,  EDP  auditors,  security  officers, 
and  users  of  small  systems.  Participants  are  encouraged  to  bring 
a list  of  specific,  relevant  security  problems  currently  being 
faced  within  their  own  organizations.  Selected  "cases"  will  be 
analyzed  and  discussed. 
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COURSE  TITLE:  Computer  Viruses,  Trojan  Horses,  and  Logic  Bombs 
COURSE  LENGTH:  2 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

This  seminar  examines  the  insidious  threats  to  computer  systems 
posed  by  malicious  programming,  including  viruses,  Trojan  horses, 
worms,  logic  bombs,  and  trap  doors.  We  wUl  examine  the  broad 
spectmm  of  harmful  code,  the  people  who  create  it,  how  vimses 
get  into  systems,  demonstrations  of  illicit  programs,  and 
countermeasures.  The  impact  of  malignant  programming  extends 
weU  beyond  any  immediate  file  damage.  Hidden  losses,  such  as 
reconstruction  of  programs  and  data,  and  exhaustive  detective 
work  may  be  necessary.  What  types  of  people  would  infect  our 
systems.. ..are  they  employees,  competitors,  outsiders?  We  will 
review  the  latest  legal  cases  relating  to  viruses  and  logic 
bombs.  Examples  of  anti-virus  software  - what  these  "digital 
pharmaceuticals"  can  and  carmot  do.  Realistic  approaches  for 
controlling  the  problem,  and  solutions  which  have  worked.  Note: 
Attendees  are  encouraged  to  provide  examples,  from  their  own 
experience,  of  destructive  programming  threats  and  effective 
technical  and  administrative  countermeasures  they  have  used. 
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COURSE  TITLE:  Becoming  Effective  Data  Security  Officer 
COURSE  LENGTH:  3 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

As  a Data  Security  Officer,  you  may  be  responsible  for  creating  a 
data  security  program  or  administering  and  improving  one  already 
in  place.  To  a great  extent,  you  will  be  defining  your  own  role 
as  you  proceed.  But  where  do  you  begin?  What  skills  do  you  need 
to  do  the  job?  Where  do  you  get  the  information  to  enhance  your 
own  skills?  Who  are  the  "key  players"  within  your  organization, 
and  how  do  you  get  them  committed  to  making  security  happen? 
What  are  the  advantages  of  the  Job?  The  disadvantages?  How  have 
others  succeeded,  and  what  pitfalls  should  you  avoid?  This 
practical  3-day  program  will  deliver  the  know-how  to  help  you 
become  a more  effective,  proficient,  and  successful  Data  Security 
Officer. 
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COURSE  TITLE:  Microcomputer  Security 
COURSE  LENGTH:  3 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

This  participative  program  examines  the  security  issues  around 
microcomputer  use,  with  emphasis  on  identifying  issues  and 
developing  plausible  solutions  for  your  real-world  environment. 
The  development  of  PC  security  issues  and  what  the  future  holds. 
Security  weaknesses  of  microcomputers  and  where  PC  security 
differs  from  mainframe  security.  Physical  protection  for  the 
machines  and  associated  media,  plus  data  access  control  and  virus 
prevention,  with  demonstrations  of  related  products.  Contingency 
planning  for  personal  computers.  Policies  and  procedures  for 
controlling  the  spread  and  use  of  PCs.  Software  piracy  and  how 
to  prevent  it  in  the  workplace.  The  value  of  a comprehensive  and 
continually  updated  security  awareness  program  in  achieving  your 
PC  security  objectives.  Designed  for  DP  and  information  center 
managers,  security  officers,  and  EDP  auditors. 
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COURSE  TITLE:  Computer  Crime  & Industrial  Espionage 
COURSE  LENGTH:  1 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

By  the  year  2000,  projections  suggest  that  an  amazing  2.5  billion 
people  will  have  access  to  computer  systems.  Clearly,  our  old 
concepts  of  doing  business  are  changing!  The  opportunity  for 
misuse  of  computers  increases  each  day.  This  seminar  is  designed 
to  help  data  processing  managers,  plant  and  DP  security 
personnel,  and  auditors  understand  the  unique  nature  of  computer 
crime  and  the  vulnerability  of  their  critical  and  sensitive 
information  to  misuse.  We  will  examine  the  current  state  of 
computer  crime  and  explore  specific  methods  used  for  illicit 
information  gathering.  Unauthorized  attempts  to  access  corporate 
data  are  no  longer  Hkely  to  be  teenage  hackers  playing  games. 
Industrial  espionage  has  become  a significant  threat  as  many 
major  corporations  adopt  the  philosophy  that  it’s  more  important 
to  know  what  the  competition  is  doing  than  what  the  customer 
wants.  You  will  learn  where  confidential  corporate  information 
is  leaking  and  what  can  be  done  to  reduce  the  threat.  You  will 
hear  about  a number  of  actual  incidents  of  computer-aided  crime 
and  the  specific  steps  you  can  take  to  prevent  similar  abuses 
from  occurring  in  your  organization. 
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COURSE  TITLE:  Information  Risk  Assessment  & Security  Management 
COURSE  LENGTH:  1 SEMESTER 


VENDOR 

University  of  Maryland,University  Coll 
University  Boulevard  at  Adelphi  Road 
College  Park,  MD  20742-1614 
(301)  985-7155 

An  examination  of  the  proliferation  of  corporate  data  bases  and 
the  development  of  telecommunications  network  technology  as 
gateways  or  invitations  to  intmsion.  Ways  of  investigating  the 
management  of  the  risk  and  security  data  and  data  systems  are 
presented  as  a function  of  design  through  recovery  and 
protection.  Issues  of  risk  and  security,  as  they  relate  to 
specific  industries  and  government,  are  major  topics  in  the 
course.  Examples  are  presented  of  how  major  technological 
advances  in  computer  and  operating  systems  have  placed  data,  as 
tangible  corporate  assets,  at  risk.  Both  quantitative  sampling 
techniques  for  risk  assessment  and  for  qualitative  decision-making 
under  uncertainty  are  explored. 

COURSE  TITLE:  Computer  Security  & Contingency  Planning 
COURSE  LENGTH:  3 DAY 

VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

Security  Administration  is  now  a reality  in  many  organizations. 
Other  companies  that  do  not  currently  have  a security 
administration  function  are  considering,  or  are  in  the  process  of 
creating  the  security  function.  This  seminar  is  designed  to 
remove  the  mystery  surrounding  data  security,  and  to  provide 
participants  with  a proven  approach  to  securing  their  computer 
systems.  At  the  end  of  the  session,  participants  will  understand 
security  administration  and  the  critical  items  that  must  be 
included  to  enable  the  function  to  perform  effectively.  They 
wiU  be  able  to  classify  data  by  criticality  and  confidentiality. 

They  will  have  an  understanding  of  logical  access  security, 
disaster  contingency  planning,  and  how  to  develop  and  implement 
security  procedures  in  their  organization. 
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COURSE  TITLE:  Control  and  Security  of  LANS 
COURSE  LENGTH:  3 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

As  local  area  networks  (LAN’s)  permeate  the  organization, 
security  and  control  issues  are  often  ignored.  This  seminar 
takes  a hard  look  at  the  audit  concerns  of  LAN’s  and  how  to 
install  effective  controls  in  this  dynamic  computer  environment 
Participants  will  lecun  what  can  go  wrong  in  the  LAN  environment 
and  what  preventive  and  detective  controls  are  available  to 
mitigate  control  weaknesses  within  the  LAN  or  from  external 
connections.  LAN  Management  and  the  role  of  the  LAN  officer  is 
discussed  in  detail.  Special  emphasis  is  placed  on  management  of 
the  hardware  and  connectivity  along  with  the  selection  of 
software.  These  key  items  often  limit  the  overall  usefulness  of 
the  LAN  and  inhibit  the  achievement  of  connectivity  and 
productivity  objectives.  Each  participant  will  receive  detailed 
audit  programs,  common  control  weaknesses  and  sample 
recommendations.  These  are  the  key  tools  they  need  to  conduct 
LAN  audits. 
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COURSE  TITLE:  Information  Systems  Seminar  For  Internal  Auditors 
COURSE  LENGTH:  5 DAY 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
Louisville,  KY  40232-9691 
(800)  289-5745 

This  introductory  seminar  of  computer  concepts  and  controls  is 
designed  for  the  MIS  or  internal  auditing  professional  who  needs 
to  learn  about  basic  computer  concepts,  computer  controls  and 
security,  system  life  cycle  planning  and  control,  and  contingency 
planning.  Individuals  with  these  backgrounds  who  complete  this 
seminar  will  be  exposed  to  every  major  aspect  of  information 
systems  auditing  and  should  be  able,  with  the  tools  provided  in 
the  seminar,  to  perform  basic  IS  Audits.  In  addition,  the 
seminar  wUl  emphasize  how  ISA  is  integrated  with  the  internal 
audit  process.  This  is  a five-day,  classroom  program  consisting 
of  stand-alone  modules  that  can  be  presented  as  a whole  or 
modules  can  be  selected  to  provide  training  on  specific  subjects 
in  shorter-duration  programs.  Call  the  vendor  for  more 
information  regarding  the  following  modules  that  have  been 
selected  for  this  particular  training  area: 

Module  3-Getting  Started 

Module  4-Planning  the  IS  Audit 

Module  5-Overview  of  the  ISA  Function 

Module  7- A Management  Approach  to  Computer  Fraud 

Module  8-Introduction  to  General  Controls 

Module  23-Introduction  to  Application  Control  Reviews 
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COURSE  ITl  LE:  EDP  Concepts  For  Business 
COURSE  LENGTH:  SELF-PACED 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
Louisville,  KY  40232-9691 
(800)  289-5745 

EDP  Concepts  for  Business  is  an  interactive  computer-based 
training  (CBT)  program.  The  student  receives  information  and  is 
coached  based  upon  the  answers  to  teaching  questions.  This  was 
designed  to  involve  the  student,  be  flexible,  and  be  responsive 
to  the  student’s  needs;  this  format  focuses  on  the  student.  You 
need  only  an  IBM  PC,  XT,  AT  or  any  IBM-compatible  microcomputer 
with  at  least  192K  memory.  Call  the  vendor  for  more  information 
regarding  the  following  module  that  has  been  selected  for  this 
particular  training  area: 

Module  6-Access  Control  and  Security 


COURSE  TITLE:  Information  Systems  Security 
COURSE  LENGTH:  1 SEMESTER 

VENDOR 

Anne  Arundel  Community  CoUege 
101  CoUege  Parkway 
Arnold,  MD  21012-1895 
(301)  541-2758 

A survey  of  topics  in  data  retention  and  control  and  techniques 
associated  with  data,  computer  systems,  network  and  instaUation 
security.  The  student  will  obtain  skills  related  to  occupations 
in  data  libraries  and  data  security  at  computer  instaUations. 

NOTE:  Three  semester  hours;  prerequisite:  CSI  113  or  permission 
of  department  head. 
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COURSE  TITLE:  A Practical  Approach  to  Certifying  a System 
COURSE  LENGTH:  2 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

This  course  shows  you  how  to  go  about  certifying  the  security  of 
a system,  whether  IBM,  DEC,  another  vendor,  or  a combination  of 
equipment  and  software  on  a network.  The  approach  used  in  the 
class  wiU  provide  you  with  flexible  techniques  to  conduct  risk 
assessments,  to  obtain  consensus  on  the  standard  (whether  or  not 
a formal  standard  exists),  to  develop  a framework  for 
certification,  and  to  identify  and  evaluate  the  controls  on  the 
system  against  this  framework.  The  result  is  a documented 
summary  of  the  risks  and  controls,  organized  in  a way  that 
permits  easy  follow-up  and  modification  if  needed.  These 
techniques  can  be  applied  to  any  organizational  culture. 


COURSE  ITILE:  The  Security-Audit  Alliance 
COURSE  LENGTH:  3 DAY 

VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

This  one  day  session  is  intended  for  both  auditors  and  security 
controls.  It  wiU  provide  both  groups  of  professionals  with 
specific  ideas  to  improve  their  effectiveness  and  productivity 
by  working  together  in  non-traditional  ways. 
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COMPUTER  SECURITY  POLICY  AND  PROCEDURES 
FOR  ADP  MANAGEMENT  AND  OPERATIONS 


COURSE  TITLE:  Building  Information  Security  Awareness 
COURSE  LENGTH:  2 DAY 

VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

This  seminar  shows  how  to  "educate"  managers,  users,  and  DP 
personnel  on  the  importance  of  protecting  information  resources. 
Top  managers  need  to  know  in  macro,  bottom-line  terms.  Data 
security  professionals  need  detailed  technical  training. 

Computer  users,  operators,  and  programmers  must  be  shown  what 
they  can  do  on  a day-to-day  operational  basis.  This  program 
delivers  practical  ideas  and  techniques  on  how  to  tailor  a 
computer  security  training/orientation  program  to  each  of  these 
diverse  groups.  You  will  learn  how  to  plan  a program.  You  will 
be  shown  what  types  of  information  should  be  gathered  for 
presentation,  how  it  should  be  logically  organized  for  maximum 
impact,  and  which  meeting  and  presentation  techniques  are  most 
effective.  And  finally,  you  will  be  given  specific  ideas  on  how 
to  measure  the  effectiveness  of  your  security  awareness  program. 
As  a "deliverable,"  you  will  develop  an  individualized  training 
plan  to  be  used  in  your  own  environment 
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COURSE  TITLE:  Developing  Computer  Security  Policy  & Procedures 
COURSE  LENGTH:  2 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

This  seminar  is  for  DP  managers,  data  security  managers,  and 
security  officers  responsible  for  developing  computer  security 
policies  and  procedures  and  integrating  them  into  a comprehensive 
data  processing  security  manual.  You  will  learn  how  to  determine 
what  policies  are  needed,  what  areas  a manual  should  cover,  and 
how  to  gather  the  necessary  information.  Two  different 
approaches  - step-by-step  "cookbook"  procedures  vs.  more 
generalized  policy  statements.  How  to  establish  working  liaisons 
with  support  staff  in  other  areas,  what’s  needed  to  get  your 
policies  and  manual  reviewed  and  approved,  and  pitfalls  that  must 
be  avoided.  Critique  actual  samples  of  procedures  and  policies 
currently  in  use. 
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COURSE  TITLE:  Communication  Security  Principles  & Practices 
COURSE  LENGTH:  2 DAY 


VENDOR 

Computer  Security  Institute 

600  Harrison  Street 

San  Francisco  CA  94107 

(415)  905-2200 

This  workshop  is  for  data  processing  managers,  security  officers, 
and  auditors  who  have  little  or  no  knowledge  in  the 
communications  area.  Because  communications  systems  are  so 
complex  and  vulnerable,  the  data  processing  operation  is  a 
substantial  risk.  You  will  learn  about  the  basic  concepts  and 
the  terminology  needed  to  communicate  effectively  with 
technicians.  The  emphasis,  however  , is  on  vulnerabilities  and 
the  practical  security  safeguards  you  can  implement.  Because  the 
largest  communications  risk  faced  by  most  organizations  is 
unauthorized  access  to  their  computers,  considerable  emphasis 
wiU  be  placed  on  how  mainframe  access  control  mechanisms 
interface  with  other  communication  security  techniques.  In 
particular,  you  wUl  learn  to  address  the  three  major  risks  - 
loss  of  network  service,  unauthorized  access  to  your  network  and 
data  center  resources,  and  surveillance  of  your  network  traffic. 
"Special  Note"  You  are  encouraged  to  prepare,  in  advance  of  the 
Workshop,  a description  of  specific  communications  security 
problems  being  faced  within  your  own  organization.  Cases  will  be 
discussed  as  time  permits  and  as  issues  arise  during  the 
Workshop. 
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COURSE  TITLE:  LAN  Security 
COURSE  LENGTH:  2 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

Local  area  networks  (LANs)  are  significantly  impacting  the  way 
organizations  do  business.  As  more  and  more  critical  work 
migrates  from  mainframes  to  LANs,  the  need  for  better  controls 
becomes  apparent.  Learn  about  the  security  and  control  issues 
involved  with  LANs;  the  types  of  critical  and  sensitive  data  now 
residing  on  LANs;  the  impact  of  loss,  change  or  disclosure;  and 
realistic  remedies  for  identified  vulnerabilities.  How 
transition  technologies,  topologies,  and  architectures  create 
complex  security,  recovery,  and  integrity  problems.  Security 
features  of  popular  LAN  systems  software  and  add-on  packages. 
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COURSE  'iTl  LE:  Managing  Computer  Security-Mergs,  Acq,  and  Divest 
COURSE  LENGTH:  2 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

Mergers,  acquisitions,  and  divestitures  are  common  in  today’s 
corporate  environment.  Unfortunately,  while  these  situations  can 
create  serious  information  protection  problems,  security  is 
usually  considered  only  after  the  financial,  legal,  and 
structural  issues  have  been  settled.  This  seminar  for  security 
officers,  DP  managers,  and  auditors  examines  what  to  do  before, 
during  and  after  a major  organizational  change  to  ensure  the 
adequate  controls  are  in  place.  Computer  security  problems  in 
merger/acquisition/divestiture  situations,  and  what  we  can  do 
about  them.  How  major  internal  reorganizations,  functional, 
consolidation,  and  plant  closings  affect  security.  These  days 
many  large  corporations  are  "outsorucing"  - getting  out  of  the  DP 
business  by  contracting  all  DP  operations  to  an  outside  vendor. 
When  this  occurs,  how  do  we  ensure  that  the  vendor  properly 
protects  our  sensitive  data  and  applications?  What  conditions 
increase  an  organization’s  vulnerability?  Risk-reducing 
countermeasures. 
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COURSE  TITLE:  Protecting  Networks  & Small  Systems 
COURSE  LENGTH:  3 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

Widespread  use  of  microcomputers  and  telecommunications 
technology  offers  greater  opportunities  for  increasing 
white-collar  productivity.. .and  the  risk  that  this  technology 
will  proliferate  out  of  control.  This  seminar  provides  a 
security  and  control  perspective  of  the  opportunities  and 
pitfaUs  in  this  new  environment.  It  will  be  valuable  for  data 
processing  management,  communications  management  and  specialists, 
office  automation  management,  EDP  auditors,  security  officers, 
and  users  of  small  systems.  Participants  are  encouraged  to  bring 
a list  of  specific,  relevant  security  problems  currently  being 
faced  within  their  own  organizations.  Selected  "cases"  wiU  be 
analyzed  and  discussed. 
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COURSE  ITI’LE:  Computer  Viruses,  Trojan  Horses,  and  Logic  Bombs 
COURSE  LENGTH:  2 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

This  seminar  examines  the  insidious  threats  to  computer  systems 
posed  by  malicious  programming,  including  viruses,  Trojan  horses, 
worms,  logic  bombs,  and  trap  doors.  We  will  examine  the  broad 
spectrum  of  harmful  code,  the  people  who  create  it,  how  viruses 
get  into  systems,  demonstrations  of  illicit  programs,  and 
countermeasures.  The  impact  of  malignant  programming  extends 
well  beyond  any  immediate  file  damage.  Hidden  losses,  such  as 
reconstruction  of  programs  and  data,  and  exhaustive  detective 
work  may  be  necessary.  What  types  of  people  would  infect  our 
systems.. ..are  they  employees,  competitors,  outsiders?  We  will 
review  the  latest  legal  cases  relating  to  viruses  and  logic 
bombs.  Examples  of  anti-virus  software  - what  these  "digital 
pharmaceuticals"  can  and  cannot  do.  Realistic  approaches  for 
controlling  the  problem,  and  solutions  which  have  worked.  Note: 
Attendees  are  encouraged  to  provide  examples,  from  their  own 
experience,  of  destructive  programming  threats  and  effective 
technical  and  administrative  countermeasures  they  have  used. 
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COURSE  rrrLE:  Microcomputer  Security 
COURSE  LENGTH:  3 DAY 


VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

This  participative  program  examines  the  security  issues  around 
microcomputer  use,  with  emphasis  on  identifying  issues  and 
developing  plausible  solutions  for  your  real-world  environment. 
The  development  of  PC  security  issues  and  what  the  future  holds. 
Security  weaknesses  of  microcomputers  and  where  PC  security 
differs  from  mainframe  security.  Physical  protection  for  the 
machines  and  associated  media,  plus  data  access  control  and  virus 
prevention,  with  demonstrations  of  related  products.  Contingency 
planning  for  personal  computers.  Policies  and  procedures  for 
controlling  the  spread  and  use  of  PCs.  Software  piracy  and  how 
to  prevent  it  in  the  workplace.  The  value  of  a comprehensive  and 
continually  updated  security  awareness  program  in  achieving  your 
PC  security  objectives.  Designed  for  DP  and  information  center 
managers,  security  officers,  and  EDP  auditors. 


COURSE  TITLE:  Computer  Security 
COURSE  LENGTH:  5 DAY 

VENDOR 

GSA  Training  Center 
P.O.  Box  15608 
Arlington,  VA  22215-0608 
(703)  557-0885 

Participants  learn  about  federal  computer  security  regulations 
and  guidelines  and  their  implementation  in  government  agencies. 
Topics  include:  a threat  overview,  national  computer  security 
policies,  an  overview  of  the  National  Institute  of  Standards  and 
Technology  and  the  National  Computer  Security  Center,  physical 
security  considerations,  microcomputer  security  considerations, 
introduction  to  risk  assessment,  qualitative  risk  assessment, 
quantitative  risk  assessment,  other  risk  assessment 
methodologies,  contingency  planning,  design  reviews  and  system 
tests,  and  security  certification  and  accreditation. 
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COURSE  TITLE:  Information  Risk  Assessment  & Security  Management 
COURSE  LENGTH:  1 SEMESTER 


VENDOR 

University  of  Maryland, University  Coll 
University  Boulevard  at  Adelphi  Road 
College  Park,  MD  20742-1614 
(301)  985-7155 

An  examination  of  the  proliferation  of  corporate  data  bases  and 
the  development  of  telecommunications  network  technology  as 
gateways  or  invitations  to  intrusion.  Ways  of  investigating  the 
management  of  the  risk  and  security  data  and  data  systems  are 
presented  as  a function  of  design  through  recovery  and 
protection.  Issues  of  risk  and  security,  as  they  relate  to 
specific  industries  and  government,  are  major  topics  in  the 
course.  Examples  are  presented  of  how  major  technological 
advances  in  computer  and  operating  systems  have  placed  data,  as 
tangible  corporate  assets,  at  risk.  Both  quantitative  sampling 
techniques  for  risk  assessment  and  for  qualitative 
decision-making  under  uncertainty  are  explored. 
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COURSE  TITLE:  Computer  Viruses:Detect,  Prevent,  Cure  Infections 
COURSE  LENGTH:  2 DAY 

VENDOR 

CENTER  for  Adv.  Professional  Develop. 

1820  E.  Garry  St. 

Santa  Ana,  CA  92705 

(714)  261-0240 

Most  of  those  who  work  with  computers  are  aware  of  the  existence 
of  something  called  "computer  virus,"  and  the  fact  that  it  may  be 
a danger  to  their  computers  or  data.  But  it  is  hard  to  get  good 
answers  to  the  questions  of  what,  exactly,  a virus  is,  how  great 
a danger  it  represents,  and  how  to  defend  against  any  damage  it 
might  cause.  Covering  technical  details  where  necessary,  but 
always  in  non-technical  language,  this  course  wiU  teU  you  what 
viri  are,  how  they  attack,  how  you  can  defend  against  them,  and 
what  the  existence  of  viri  mean  to  you  and  your  use  of  computers. 
The  course  will  give  you  a complete  overview  of  all  known  ways 
that  viri  have  "reproduced,"  and  the  various  types  of  damage  they 
have  done.  New  viri  are  constantly  being  written  so  the  course 
is  constantly  being  updated,  and  research  into  ways  that  viri 
could  attack,  but  haven’t  yet,  will  be  reported. 
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COURSE  TITLE:  UNIX  Systems  Security 
COURSE  LENGTH:  3 DAY 


VENDOR 

Trainix 

1686  Bismark  Drive 
Deltona,  FL  32723 
(904)  789-1769 

This  course  discusses  UNIX  security  and  how  system  managers  and 
administrators  can  implement  security  measures  on  UNIX.  The 
focus  of  the  course  is  on  the  inherent  security  vulnerabilities 
commonly  found  on  UNIX  systems  and  how  to  correct  them.  Examples 
are  presented  which  illustrate  how  to  insure  a high  level  of 
security  confidence  against  unauthorized  users  from  accessing  the 
system.  The  common  methods  used  to  penetrate  UNIX  systems,  gain 
unauthorized  root  access  permission,  become  another  user,  plant 
trojan  horses  or  spoofs,  and  other  ways  of  circumventing  the 
normal  system  protection  are  disclosed.  Each  attendee  wUl 
receive  detailed  audit  checklists  and  a diskette  containing  UNIX 
shell  and  C programs  which  will  assist  in  performing  security 
auditing  and  risk  analysis.  Prerequisites:  UXOOl -Fundamentals  of 
UNIX  and  UX006-UNIX  System  Administration.  A knowledge  of  Shell 
and  C programming  is  helpful. 
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COURSE  TITLE:  UNIX  Security  For  Users 
COURSE  LENGTH:  1 DAY 


VENDOR 

Trainix 

1686  Bismark  Drive 
Deltona,  FL  32723 
(904)  789-1769 

This  seminar  is  designed  to  make  all  users  aware  of  the  UNIX 
security  vulnerabilities  and  show  them  how  to  prevent  an 
unauthorized  user  from  compromising  their  login  account  or  data. 

The  security  features  which  are  provided  as  part  of  the  operating 
system  are  first  discussed.  Then,  some  of  the  ways  in  which 
unauthorized  people  may  use  to  gain  access  to  a UNIX  system  or 
another  users  files  and  directories  are  discussed.  Next,  the 
ways  of  preventing  unauthorized  access  are  described  in  detail, 
along  with  exact  descriptions  of  each  UNIX  command  and  the  way  it 
is  used.  Each  attendee  will  be  provided  with  a self-assessment 
checklist  and  sample  programs  which  will  allow  them  to  perform  a 
personal  audit  on  their  account.  The  seminar  concludes  with  a 
discussion  of  the  actions  a user  should  take  if  they  suspect 
compromise  of  their  login  and/or  files. 
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COURSE  TITLE:  Auditing  AS/400:A  Step  By  Step  Approach 
COURSE  LENGTH:  2 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

IBM’s  AS/400  computer  series  is  rapidly  becoming  the  work  horse 
of  the  mini  and  midi  computer  world.  With  a broad  industry  base, 
this  multi  functional  machine  serves  as  a primary  business 
platform,  as  a front  end  processor  or  as  a process  controller. 

This  intensive  seminar  concentrates  on  the  control  and  security 
concerns  relating  to  the  AS/400.  The  participants  wiU  learn  how 
to  automate  the  audit  using  ROBOT,  utilities  and  AS/400  tools. 

Key  control  points  are  identified  to  enable  auditors  to  focus 
their  efforts  to  ensiure  a complete  audit  while  reducing  the  audit 
duration.  Actual  case  studies  are  used  throughout  the  seminar  to 
provide  real  life  examples  to  reinforce  the  audit  programs  and 
techniques. 

COURSE  TITLE:  The  Data  CenteriAuditing  For  Profit 
COURSE  LENGTH:  2 DAY 

VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

The  audit  programs  provided  in  this  course  are  specifically 
designed  to  enable  the  participants  to  conduct  the  data  center 
audit  with  little  or  no  need  for  additional  support.  Throughout 
this  session  emphasis  is  placed  on  ensuring  that  appropriate 
preventive  controls  are  in  place  to  prevent  unscheduled 
interruption  of  processing  or  inappropriate  data  access. 

Disaster  contingency  planning  is  discussed  in  depth,  with  each 
participant  receiving  a copy  of  our  general  disaster  recovery 
program.  CANAUDIT  has  also  added  a module  on  out-sourcing  which 
provides  auditors  with  a good  understanding  of  the  concepts  and 
the  related  risks.  As  with  all  CANAUDIT  courses,  this  seminar 
makes  extensive  use  of  examples  and  classroom  discussion  to 
supplement  the  lecture. 
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COURSE  TITLE:  EDP  Audit  Workshop 
COURSE  LENGTH:  5 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

This  workshop  is  designed  for  auditors  who  will  be  conducting 
audits  in  a computerized  environment  The  workshop  assumes  no 
prior  knowledge  of  EDP  audit  concepts  or  procedures  and  provide 
participants  with  a sound  understanding  of  the  audit  risks 
relating  to  information  systems.  Once  the  groundwork  is  laid, 
participants  will  learn  the  controls  required  in  computerized 
applications  and  a step  by  step  approach  to  effectively  evaluate 
the  EDP  control  stmctures.  As  their  understanding  grows, 
participants  wiU  progress  to  more  complicated  IS  audit  topics 
including  local  area  networks,  data  security,  telecommunications 
networks  and  operating  systems.  Extensive  coverage  of  EDI 
ensures  participants  are  able  to  be  active  members  of  the  EDI 
Implementation  Team  and  ensures  appropriate  controls  are  designed 
into  EDI  applications.  Instructors  for  this  seminar  were 
selected  by  their  extensive  IS  audit  experience  and  their  ability 
to  explain  complex  technology  in  simple  English;  therefore, 
participants  wUl  be  sure  to  grasp  the  key  concepts. 
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COURSE  ITl'LE:  Control  and  Security  of  LANS 
COURSE  LENGTH:  3 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

As  local  area  networks  (LAN’s)  permeate  the  organization, 
security  and  control  issues  are  often  ignored.  This  seminar 
takes  a hard  look  at  the  audit  concerns  of  LAN’s  and  how  to 
install  effective  controls  in  this  dynamic  computer  environment 
Participants  will  learn  what  can  go  wrong  in  the  LAN  environment 
and  what  preventive  and  detective  controls  are  available  to 
mitigate  control  weaknesses  within  the  LAN  or  from  external 
connections.  LAN  Management  and  the  role  of  the  LAN  officer  is 
discussed  in  detail.  Special  emphasis  is  placed  on  management  of 
the  hardware  and  connectivity  along  with  the  selection  of 
software.  These  key  items  often  limit  the  overall  usefulness  of 
the  LAN  and  inhibit  the  achievement  of  connectivity  and 
productivity  objectives.  Each  participant  will  receive  detailed 
audit  programs,  common  control  weaknesses  and  sample 
recommendations.  These  are  the  key  tools  they  need  to  conduct 
LAN  audits. 
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COURSE  ITILE:  Auditing  Advanced  Information  Technology 
COURSE  LENGTH:  3 DAY 

VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

When  CANAUDIT  set  out  to  rewrite  the  popular  ADVANCED  EDP 
AUDITING  seminar,  the  objective  was  to  make  it  the  most 
comprehensive  Information  Systems  audit  course  currently 
available  in  the  public  marketplace.  Only  a completely  new 
seminar,  AUDITING  ADVANCED  INFORMATION  TECHNOLOGY,  could 
incorporate  all  of  the  enhancements.  AUDITING  ADVANCED 
INFORMATION  TECHNOLOGY  provides  the  Information  Systems  Auditor 
>vith  the  skills  required  to  perform  audits  of  Operating  Systems, 

Local  Area  Networks,  Wide  Area  Networks,  Access  Security  and  DB2. 

In  addition  to  generic  audit  programs,  participants  will  receive 
detailed  product  specific  checklists  for  MVS,  Tandem  VAX,  AS/400 
and  Novell.  These  checklists  will  enable  the  IS  auditor  to 
conduct  audits  of  those  critical  components  of  information 
technology  necessary  to  ensure  their  organization’s  information 
processing  is  secure,  controlled  and  effective.  Emphasis  is 
placed  on  improving  the  quality  of  management  techniques  and 
controls  to  enable  organizations  to  operate  effectively  in 
today’s  complex  information  technology  environment 


175 


COURSE  TITLE:  Auditing  Datacomm  Networks 
COURSE  LENGTH:  3 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

Wide  area  networks  are  the  lifeblood  of  corporate  information 
processing  and  connectivity,  yet  many  organizations  have  yet  to 
do  a complete  audit  of  network  operations  and  management.  This 
seminar  provides  the  IS  auditor  with  a structured  audit  approach 
directed  to  identifying  critical  control  weaknesses  in  the 
network,  the  carriers,  the  media  and  network  management.  Proven 
solutions  to  common  control  weaknesses  wUl  be  provided  to  each 
participant.  Focus  in  this  seminar  is  on  a complete  audit 
approach  for  data  and  voice  communications  from  a security  and 
cost  perspective.  Network  management  tools  and  problem 
resolution  techniques  are  the  cornerstone  of  network  operations. 
Special  emphasis  is  placed  on  using  NETVIEW,  a popular  network 
management  tool  to  identify  network  problems.  Participants  in 
this  session  will  receive  detailed  audit  programs  and  checklists 
which  will  provide  a strong  starting  point  for  their  first 
Network  Audit. 
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COURSE  TITLE:  Auditing  IMS 
COURSE  LENGTH:  3 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

This  seminar  examines  the  complexities  of  the  IMS  database 
management  system.  From  a conceptual  overview  of  the  various  IMS 
facilities  to  the  detail  of  important  control  mechanisms  within 
the  IMS  product  software  family,  it  explores  the  impact  of  IMS  on 
the  work  of  the  auditor  and  the  system  development  process.  Upon 
completion  of  this  seminar,  the  participant  will  understand  the 
IMS  environment,  the  theory  and  terminology  and  the  operational 
perspective  of  running  EMS  on  a daily  basis.  An  audit  program  is 
discussed  to  enable  participants  to  make  practical  use  of  the 
material  covered  during  the  seminar. 

COURSE  TITLE:  Auditing  DB2 
COURSE  LENGTH:  2 DAY 

VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

IBM’s  DB2  language  is  now  an  accepted  standard.  As  a result, 
auditors  are  currently  faced  with  yet  another  area  where  they 
must  perform  a highly  technical  audit.  This  seminar  provides  the 
auditor  with  a detailed  understanding  of  DB2,  the  audit  issues 
and  concerns,  as  weU  as  useful  audit  programs  which  address  DB2, 
security  and  the  interfaces  with  IMS  and  CICS.  This  intensive 
session  prepares  the  auditor  for  their  first  DB2  audit  Special 
emphasis  is  placed  on  the  controls  inherent  in  DB2  and  how  to  use 
them. 
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COURSE  ITlLE:  MVS/ESA: An  Audit  Approach 
COURSE  LENGTH:  3 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

The  operating  system  is  an  essential  component  of  system  security 
and  control,  this  seminar  explains  MVS/ESA,  its  component  and 
the  security  implications  resulting  from  control  weaknesses.  The 
SYSGEN  process,  system  options  and  parameters  are  discussed  as 
they  relate  to  security.  The  usefulness  and  recommended  use  of 
SMP  in  the  change  control  process  is  emphasized.  Management 
procedures  and  the  requirement  for  management  involvement  in  the 
SYSGEN  and  change  process  are  explained  from  an  audit 
perspective.  Each  participant  wUl  receive  an  audit  program  to 
enable  them  to  conduct  a thorough  review  of  MVS/ESA.  they  wiU 
also  receive  system  utilities  and  JCL  to  enable  them  to  verify 
the  installation  of  system  controls  and  identify  control 
deficiencies.  An  overview  of  system  security  packages  and  how 
they  enhance  total  system  security  is  also  provided. 
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COURSE  TITLE:  Auditing  CICS/ESA 
COURSE  LENGTH:  2 DAY 

VENDOR 


Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

Finally,  a course  which  provides  EDP  Auditors  with  a modem 
approach  to  auditing  CICS!  This  seminar  emphasizes  a technical 
audit  of  CICS  with  in-depth  coverage  of  aU  the  control  programs 
and  tables.  We  discuss  security  concepts  and  the  impact  of 
security  violations,  along  with  practical  suggestions  for 
implementing  the  security  features  inherent  in  CICS.  Sample 
audit  programs  and  suggested  recommendations  are  provided  to  each 
participant.  Classroom  presentations  and  discussions  enable  the 
participant  to  merge  both  theory  and  practice  into  a unified 
audit  approach.  Critical  audit  issues  such  as  ON-Line  Controls, 

Security  Data  Integrity,  and  Management  Concerns  are  developed 
throughout  the  session  to  enable  auditors  to  explain  the  business 
case  for  control  of  CICS  as  it  applies  to  their  organization. 

COURSE  TITLE:  Auditing  VAX:A  Comprehensive  Approach 
COURSE  LENGTH:  3 DAY 

VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

This  session  is  the  most  comprehensive  VAX  Audit  course  currently 
available.  It  is  intended  for  auditors  who  will  be  auditing  the 
VAX  operating  system  and  its  components.  The  seminar  provides 
participants  with  an  understanding  of  the  hardware,  software  and 
security  requirements  as  weU  as  depth,  along  with  detailed 
descriptions  of  utilities  and  System  Generation  controls. 

Because  of  the  popularity  of  this  topic,  we  recommend  early 
registration. 

NOTE:We  recommend  that  participants  attend  the  AUDITING  ADVANCED 
INFORMATION  TECHNOLOGY  or  EDP  AUDIT  WORKSHOP  seminars  or  their 
equivalents  prior  to  attending  this  course. 
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COURSE  TITLE:  Auditing  Decnet 
COURSE  LENGTH:  2 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

Many  Canaudit  clients  use  the  DEC  VAX  as  an  integral  part  of 
extensive  network  applications.  It  is  essential  that  these 
applications  be  secure  and  that  communications  be  safe  and 
confidential,  this  seminar  is  specifically  designed  for  Canaudit 
clients  using  DECnet,  the  primary  communications  architecture  for 
Digital  networks.  Complete  coverage  of  all  aspects  of  DECnet 
security  including  network  implementations.  Network  Control 
Program  and  network  access  control  methodologies  is  included  in 
this  concentrated  seminar.  All  participants  will  learn  the 
critical  control  features  of  DECnet  and  how  to  evaluate  the 
control  stmcture.  In  addition  they  will  receive  complete  audit 
programs  and  utilities  to  automate  much  of  the  audit. 

NOTE:AUDITING  VAX:A  COMPREHENSIVE  APPROACH  is  the  prerequisite 
for  this  course. 
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COURSE  ITFLE:  Auditing  Tandem 
COURSE  LENGTH:  2 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  VaUey,  CA  93093 
(805)  583-3723 

Tandem  computers  have  successfully  penetrated  the  computing 
marketplace.  From  their  start  as  a fault  tolerant  machine. 

Tandems  are  now  the  processing  platform  of  choice  in  several 
industries.  Traditionally  used  in  banking,  Tandems  are  now  widely 
used  in  manufacturing,  research  and  as  business  processors  for 
critical  application  processing.  The  widespread  use  of  Tandems 
in  networked  environments  make  them  a target  for  viral  and  hacker 
attacks.  As  a result,  the  need  for  security  and  control  for 
these  systems  has  never  been  greater,  yet  many  CANAUDIT  clients 
have  not  implemented  the  security  and  controls  provided  as  part 
of  the  Tandem  operating  system.  This  seminar  will  enable 
participants  to  perform  a complex  security  review  of  the  Tandem 
operating  system  and  security  functions.  The  instructor  explains 
potential  security  pitfalls  and  control  weaknesses  in  depth  and 
provides  participants  with  Tandem  utilities  designed  to  probe  the 
system  to  detect  control  weaknesses.  Participants  will  learn 
proven  techniques  to  remedy  security  and  control  weaknesses  and 
how  to  install  them. 

NOTE:We  recommend  that  auditors  attend  the  AUDITING  ADVANCED 
INFORMATION  SYSTEMS  or  the  EDP  AUDIT  WORKSHOP  seminars  or  their 
equivalents  prior  to  attending  this  session. 
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COURSE  TITLE:  Information  Systems  Seminar  For  Internal  Auditors 
COURSE  LENGTH:  5 DAY 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
Louisville,  KY  40232-9691 
(800)  289-5745 

This  introductory  seminar  of  computer  concepts  and  controls  is 
designed  for  the  MIS  or  internal  auditing  professional  who  needs 
to  learn  about  basic  computer  concepts,  computer  controls  and 
security,  system  life  cycle  planning  and  control,  and  contingency 
planning.  Individuals  with  these  backgrounds  who  complete  this 
seminar  will  be  exposed  to  every  major  aspect  of  information 
systems  auditing  and  should  be  able,  with  the  tools  provided  in 
the  seminar,  to  perform  basic  IS  Audits.  In  addition,  the 
seminar  will  emphasize  how  ISA  is  integrated  with  the  internal 
audit  process.  This  is  a five-day,  classroom  program  consisting 
of  stand-alone  modules  that  can  be  presented  as  a whole  or  in 
shorter-duration  programs.  Call  the  vendor  for  more  information 
regarding  the  following  modules  that  have  been  selected  for  this 
particular  training  area: 

Module  6-Overview  of  Computer  Operations 
Module  9-Organization  and  Administration 
Module  10- System  Development  Life  Cycle 
Module  11 -Change  Control  and  Management 
Module  13-"The  Time  Bomb" 

Module  14-Access  Control 
Module  16-Program  Execution 
Module  17-Continuity  of  Operations 
Module  20-Data  Bases 
Module  21 -Minicomputer  Systems 
Module  22-Microcomputer  Systems 
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COURSE  TITLE:  EDP  Concepts  For  Business 
COURSE  LENGTH:  SELF-PACED 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

EDP  Concepts  for  Business  is  an  interactive  computer-based 
training  (CBT)  program.  The  student  receives  information  and  is 
coached  based  upon  the  answers  to  teaching  questions.  This  was 
designed  to  involve  the  student,  be  flexible,  and  be  responsive 
to  the  student’s  needs;  this  format  focuses  on  the  student.  You 
need  only  an  IBM  PC,  XT,  AT,  or  any  IBM-compatible  microcomputer 
with  at  least  192K  memory.  Call  the  vendor  for  more  information 
regarding  the  following  modules  that  have  been  selected  for  this 
particular  training  area: 

Module  2-Data  and  Data  Processing 
Module  3-Programs  and  Languages 


COURSE  ITI  LE:  Microcomputer  Security 
COURSE  LENGTH:  2 HRS 

VENDOR 

Booz-AUen  & Hamilton  Inc. 

4330  East  West  Highway 
Bethesda,  MD  20814-4455 
Victor  Marshall 
(301)  951-4672 

The  purpose  of  this  microcomputer  security  course  is  to  sensitize 
participants  to  the  need  for  microcomputer  security  and  to 
provide  each  individual  with  some  practical  tools  to  protect 
their  microcomputer  assets,  especially  the  stored  information. 

The  course  provides  practical  information  on  computer  security 
that  microcomputer  users  can  implement  immediately. 
NOTE:Contact  the  vendor  for  information  concerning  specialized 
agency  training. 
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COURSE  TITLE:  Information  Systems  Security 
COURSE  LENGTH:  1 SEMESTER 

VENDOR 

Anne  Arundel  Community  College 
101  College  Parkway 
Arnold,  MD  21012-1895 
(301)  541-2758 

A survey  of  topics  in  data  retention  and  control  and  techniques 
associated  with  data,  computer  systems,  network  and  installation 
security.  The  student  wiU  obtain  skills  related  to  occupations 
in  data  libraries  and  data  security  at  computer  installations. 

NOTE:  Three  semester  hours;  prerequisite:  CSI  113  or  permission 
of  department  head. 
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CONTINGENCY  PLANNING 
FOR  ADP  MANAGEMENT  AND  OPERATIONS 


COURSE  TITLE:  Planning  An  EDP  Disaster  Recovery  Program 
COURSE  LENGTH:  3 DAY 

VENDOR 

Computer  Security  Institute 
600  Harrison  Street 
San  Francisco  CA  94107 
(415)  905-2200 

This  seminar  examines  the  critical  components  of  the  disaster 
recovery  planning  process  in  detail  and  offers  a practical 
framework  for  implementing  a disaster  recovery  program.  A "big 
think"  approach  is  required,  because  recovery  planning  is 
tedious,  time-consuming,  and  requires  management  commitment  plus 
cooperation  from  all  levels  of  user  personnel.  Less  than  20%  of 
the  top  1,000  U.S.  firms  have  workable  EDP  disaster  recovery 
plans  that  have  been  successfully  tested.  Indeed,  many 
organizations  today  have  no  formal  plans  at  all.  Some  have  tried 
to  formulate  a plan  but  failed  because  they  underestimated  the 
scope  and  complexity  of  the  task.  Although  a 3-day  seminar 
cannot  provide  all  the  details  necessary  for  a comprehensive 
program,  this  seminar  will  give  you  a firm  grounding  in  the 
knowledge  and  skills  needed  for  a successful  disaster  recovery 
planning  effort. 
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COURSE  ITI  LE:  Disaster  Recovery  Planning 
COURSE  LENGTH:  3 DAY 


VENDOR 

EBM  Management  Institute 
19th  Floor 
Chicago,  IL  60611 
(312)  245-3791 

The  real  objective  is  to  develop  and  maintain  recovery  capability 
- not  just  for  DP  but  - for  the  applications  critical  to  the 
conduct  of  business.  It  is  easier  and  cheaper  to  do  this  right. 

This  course  is  designed  for  those  who  wish  to  understand  the 
issues,  the  alternatives,  those  who  have  to  put  a recovery 
capability  into  place.  Teams  from  both  the  DP  and  user 
communities  are  encouraged  to  attend  together.  This  is  a 
management  course,  not  a technical  course  and  the  strategies 
discussed  are  independent  of  any  particular  hardware  of  software. 

COURSE  TITLE:  Computer  Security  & Contingency  Planning 
COURSE  LENGTH:  3 DAY 

VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

Security  Administration  is  now  a reality  in  many  organizations. 
Other  companies  that  do  not  currently  have  a security 
administration  function  are  considering,  or  are  in  the  process  of 
creating  the  security  function.  This  seminar  is  designed  to 
remove  the  mystery  surrounding  data  security,  and  to  provide 
participants  with  a proven  approach  to  securing  their  computer 
systems.  At  the  end  of  the  session,  participants  will  understand 
security  administration  and  the  critical  items  that  must  be 
included  to  enable  the  function  to  perform  effectively.  They 
will  be  able  to  classify  data  by  criticality  and  confidentiality. 

They  will  have  an  understanding  of  logical  access  security, 
disaster  contingency  planning,  and  how  to  develop  and  implement 
security  procedures  in  their  organization. 
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COURSE  TITLE:  The  Data  Center: Auditing  For  Profit 
COURSE  LENGTH:  2 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

The  audit  programs  provided  in  this  course  are  specifically 
designed  to  enable  the  participants  to  conduct  the  data  center 
audit  with  little  or  no  need  for  additional  support.  Throughout 
this  session  emphasis  is  placed  on  ensuring  that  appropriate 
preventive  controls  are  in  place  to  prevent  unscheduled 
interruption  of  processing  or  inappropriate  data  access. 

Disaster  contingency  planning  is  discussed  in  depth,  with  each 
participant  receiving  a copy  of  our  general  disaster  recovery 
program.  CANAUDIT  has  also  added  a module  on  out-sourcing  which 
provides  auditors  with  a good  understanding  of  the  concepts  and 
the  related  risks.  As  with  aU  CANAUDIT  courses,  this  seminar 
makes  extensive  use  of  examples  and  classroom  discussion  to 
supplement  the  lecture. 
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COURSE  ITl'LE:  Information  Systems  Seminar  For  Internal  Auditors 
COURSE  LENGTH:  5 DAY 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
Louisville,  KY  40232-9691 
(800)  289-5745 

This  introductory  seminar  of  computer  concepts  and  controls  is 
designed  for  the  MIS  or  internal  auditing  professional  who  needs 
to  learn  about  basic  computer  concepts,  computer  controls  and 
security,  system  life  cycle  plaiming  and  control,  and  contingency 
planning.  Individuals  with  these  backgrounds  who  complete  this 
seminar  will  be  exposed  to  every  major  aspect  of  information 
systems  auditing  and  should  be  able,  with  the  tools  provided  in 
the  seminar,  to  perform  basic  IS  Audits.  In  addition,  the 
seminar  wiU  emphasize  how  ISA  is  integrated  with  the  internal 
audit  process.  This  is  a five-day,  classroom  program  consisting 
of  stand-alone  modules  that  can  be  presented  as  a whole  or  in 
shorter-duration  programs.  Call  the  vendor  for  more  information 
regarding  the  following  modules  that  have  been  selected  for  this 
particular  training  area: 

Module  8 -Introduction  to  General  Controls 
Module  17-Continuity  of  Operations 
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COURSE  TITLE:  EDP  Concepts  For  Business 
COURSE  LENGTH:  SELF-PACED 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

EDP  Concepts  for  Business  is  an  interactive  computer-based 
training  (CBT)  program.  The  student  receives  information  and  is 
coached  based  upon  the  answers  to  teaching  questions.  This  was 
designed  to  involve  the  student,  be  flexible,  and  be  responsive 
to  the  student’s  needs;  this  format  focuses  on  the  student.  You 
need  only  an  IBM  PC,  XT,  AT,  or  any  IBM-compatible  microcomputer 
with  at  least  192K  memory.  Call  the  vendor  for  more  information 
regarding  the  following  module  that  has  been  selected  for  this 
particular  training  area; 

Module  6-Access  Control  and  Security 


COURSE  TITLE:  Microcomputer  Security 
COURSE  LENGTH:  2 HRS 

VENDOR 

Booz-Allen  & Hamilton  Inc. 

4330  East  West  Highway 
Bethesda,  MD  20814-4455 
Victor  Marshall 
(301)  951-4672 

The  purpose  of  this  microcomputer  security  course  is  to  sensitize 
participants  to  the  need  for  microcomputer  security  and  to 
provide  each  individual  with  some  practical  tools  to  protect 
their  microcomputer  assets,  especially  the  stored  information. 

The  course  provides  practical  information  on  computer  security 
that  microcomputer  users  can  implement  immediately. 
NOTEiContact  the  vendor  for  information  concerning  specialized 
agency  training. 
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COURSE  TITLE:  Information  Systems  Security 
COURSE  LENGTH:  1 SEMESTER 


VENDOR 

Anne  Arundel  Community  College 
101  College  Parkway 
Arnold,  MD  21012-1895 
(301)  541-2758 

A survey  of  topics  in  data  retention  and  control  and  techniques 
associated  with  data,  computer  systems,  network  and  installation 
security.  The  student  wiU  obtain  skills  related  to  occupations 
in  data  libraries  and  data  security  at  computer  installations. 

NOTE:  Three  semester  hours;  prerequisite:  CSI  113  or  permission 
of  department  head. 
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SYSTEMS  LIFE  CYCLE  MANAGEMENT 
FOR  ADP  MANAGEMENT  AND  OPERATIONS 


COURSE  TITLE:  Auditing  DB2 
COURSE  LENGTH:  2 DAY 

VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

IBM’s  DB2  language  is  now  an  accepted  standard.  As  a result, 
auditors  are  currently  faced  with  yet  another  area  where  they 
must  perform  a highly  technical  audit.  This  seminar  provides  the 
auditor  with  a detailed  understanding  of  DB2,  the  audit  issues 
and  concerns,  as  weU  as  useful  audit  programs  which  address  DB2, 
security  and  the  interfaces  with  IMS  and  CICS.  This  intensive 
session  prepares  the  auditor  for  their  first  DB2  audit.  Special 
emphasis  is  placed  on  the  controls  inherent  in  DB2  and  how  to  use 
them. 
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COURSE  TITLE:  Auditing  Systems  Development 
COURSE  LENGTH:  2 DAY 


VENDOR 
Canaudit  Inc. 

P.O.  Box  4150 
Simi  Valley,  CA  93093 
(805)  583-3723 

System  development  costs  continue  to  rise,  yet  often  user  needs 
are  not  satisfied.  The  key  objective  of  a new  system  is  to  meet 
the  business  requirements  for  economical  data  processing  and 
information  retrieval,  in  a controlled  environment.  CANAUDIT’s 
experience  has  shown  that  early  audit  involvement  in  the 
development  process  reduces  the  possibility  of  control  weaknesses 
and  ensures  that  end  user  requirements  are  met.  Our  experience 
demonstrates  that  the  development  of  computerized  systems  in  a 
well  managed  and  controlled  environment  results  in  efficient 
system  products  that  are  reliable  and  effective.  Audit  and 
Quality  Assurance  from  the  beginning  of  the  project  are  essential 
ingredients  for  creating  a proper  control  environment  and 
dependable  applications.  This  comprehensive  seminar  provides 
participants  with  the  appropriate  knowledge  to  enable  them  to 
actively  participate  in  a System  Development  Review.  After  the 
seminar  participants  will  understand  the  attributes,  requirements 
and  techniques  for  an  effective  system  development  methodology, 
effective  project  management  and  control,  reliable  system  design 
features,  adequate  internal  control  measures,  comprehensive 
acceptance  testing  and  effective  audit  participation. 
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COURSE  ITILE:  UPSiDesign,  Selection  and  Specification 
COURSE  LENGTH:  2 DAY 


VENDOR 

University  of  Wisconsin,  Milwaukee 
929  North  6th  Street 
Milwaukee,  WI  53203 
(800)  222-3623 

Program  objectives  of  this  institute  will  have  been  accomplished 
if,  upon  completion,  the  attendee  can  answer  satisfactorily  the 
following  questions:  Where  is  UPS  needed?  When  is  UPS  needed? 
Should  the  system  be  redundant?  How  should  components  be  chosen? 
How  is  a system  designed?  What  level  of  protection  is 
appropriate?  What  are  the  system  maintenance  requirements?  What 
grounding  and  noise  problems  need  consideration?  How  can 
satisfactory  performance  be  achieved  while  satisfying  the  NEC? 
NOTE:Previous  attendees  will  find  that  material  has  been  added  to 
the  program  since  they  last  attended. 
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COURSE  TITLE:  Information  Systems  Seminar  For  Internal  Auditors 
COURSE  LENGTH:  5 DAY 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
Louisville,  KY  40232-9691 
(800)  289-5745 

This  introductory  seminar  of  computer  concepts  and  controls  is 
designed  for  the  MIS  or  internal  auditing  professional  who  needs 
to  leam  about  basic  computer  concepts,  computer  controls  and 
security,  system  life  cycle  planning  and  control,  and  contingency 
planning.  Individuals  with  these  backgrounds  who  complete  this 
seminar  will  be  exposed  to  every  major  aspect  of  information 
systems  auditing  and  should  be  able,  with  the  tools  provided  in 
the  seminar,  to  perform  basic  IS  Audits.  In  addition,  the 
seminar  will  emphasize  how  ISA  is  integrated  with  the  internal 
audit  process.  This  is  a five-day,  classroom  program  consisting 
of  stand-alone  modules  that  can  be  presented  as  a whole  or  in 
shorter-duration  programs.  Call  the  vendor  for  more  information 
regarding  the  following  modules  that  have  been  selected  for  this 
particular  training  area: 

Module  8-Introduction  to  General  Controls 
Module  10-System  Development  Life  Cycle 
Module  11 -Change  Control  and  Management 
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COURSE  TITLE:  EDP  Concepts  For  Business 
COURSE  LENGTH:  SELF-PACED 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

EDP  Concepts  for  Business  is  an  interactive  computer-based 
training  (CBT)  program.  The  student  receives  information  and  is 
coached  based  upon  the  answers  to  teaching  questions.  This  was 
designed  to  involve  the  student,  be  flexible,  and  be  responsive 
to  the  student’s  needs;  this  format  focuses  on  the  student.  You 
need  only  an  IBM  PC,  XT,  AT,  or  any  IBM-compatible  microcomputer 
with  at  least  192K  memory.  Call  the  vendor  for  more  information 
regarding  the  following  module  that  has  been  selected  for  this 
particular  training  area: 

Module  4-The  System  Development  Life  Cycle 
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COMPUTER  SECURITY  BASICS 
FOR  END  USERS 


COURSE  TITLE:  Computer  Security  For  End  Users 
COURSE  LENGTH:  1 DAY 

VENDOR 

USDA,  Graduate  School 
600  Maryland  Ave,  SW 
Washington,  DC  20024 
(202)  447-7124 

This  workshop  will  give  you  an  overview  of  the  threats  to,  and 
vulnerabilities  of,  computer  systems,  and  appropriate  safeguards 
to  protect  those  systems.  We  will  stress  your  role  in  the 
protection  of  sensitive  data,  and  in  the  prevention  and  detection 
of  computer  crime.  You  will  receive  checklists  and  suggestions 
for  becoming  more  aware  of  possible  computer  security  problems  in 
your  office,  and  you  will  be  able  to  get  advice  on  how  to  deal 
with  concerns  that  are  specific  to  your  agency  or  installation. 


COURSE  TITLE:  Computer  Security  Awareness  Training 
COURSE  LENGTH:  3 HRS 

VENDOR 

GSA  Training  Center 
P.O.  Box  15608 
Arlington,  VA  22215-0608 
(703)  557-0885 

Participants  learn  to  be  aware  of  threats  to  and  vulnerabilities 
of  computer  systems,  as  well  as  to  encourage  use  of  improved 
security  practices.  Topics  include:  Computer  Security  Act  of 
1987;  computer  fraud,  waste,  and  abuse;  and  types  of  computer 
hackers.  Also  discussed  are  natural  disasters  and  human  errors 
relating  to  computer  security. 
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COURSE  TITLE:  Microcomputer  Security 
COURSE  LENGTH:  3 HRS 


VENDOR 

Department  of  Navy 

Navy  Regional  Data  Automation  Center 

San  Diego,  CA  92135-5110 

(202)  223-9669 

This  session  focuses  on  a variety  of  security  issues  found  in  a 
microcomputer  environment,  safeguards  and  controls  for  personal 
computers,  including  physical  protection  measures,  backups,  media 
handling  procedures,  and  security  awareness  programs  are 
described,  as  well  as  user  responsibilities. 

COURSE  TITLE:  Computer  Security:For  Security  Professionals 
COURSE  LENGTH:  3 DAY 

VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

The  purpose  of  this  seminar  is  to  take  the  mystery  out  of 
computer  and  network  technology.  You  wiU  learn  the  basics  of 
computer  and  telecommunications  systems,  and  how  they  are 
vulnerable  to  computer  crime,  abuse,  misuse,  errors,  and 
omissions.  In  a congenial  atmosphere  surrounded  by  your  own 
colleagues,  you  will  receive  guidelines  for  preventing, 
detecting,  and  responding  to  virus  and  other  criminal  attacks  and 
accidental  errors.  You  will  receive  models  for  using  these 
guidelines  to  protect  your  own  systems. 
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COURSE  TITLE:  Information  Systems  Seminar  For  Internal  Auditors 
COURSE  LENGTH:  5 DAY 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

This  introductory  seminar  of  computer  concepts  and  controls  is 
designed  for  the  MIS  or  internal  auditing  professional  who  needs 
to  learn  about  basic  computer  concepts,  computer  controls  and 
security,  system  life  cycle  planning  and  control,  and  contingency 
planning.  Individuals  with  these  backgrounds  who  complete  this 
seminar  will  be  exposed  to  every  major  aspect  of  information 
systems  auditing  and  should  be  able,  with  the  tools  provided  in 
the  seminar,  to  perform  basic  IS  Audits.  In  addition,  the 
seminar  will  emphasize  how  ISA  is  integrated  with  the  internal 
audit  process.  This  is  a five-day,  classroom  program  consisting 
of  stand-alone  modules  that  can  be  presented  as  a whole  or 
modules  can  be  selected  to  provide  training  on  specific  subjects 
in  shorter-duration  programs.  Call  the  vendor  for  more 
information  regarding  the  following  modules  that  have  been 
selected  for  this  particular  training  area: 

Module  3-Getting  Started 

Module  5-Overview  of  the  ISA  Function 

Module  6-Overview  of  Computer  Operations 

Module  7- A Management  Approach  to  Computer  Fraud 

Module  8-Introduction  to  General  Controls 

Module  9-Organization  and  Administration 

Module  23-Introduction  to  Application  Control  Reviews 
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COURSE  ITl  LE:  EDP  Concepts  For  Business 
COURSE  LENGTH:  SELF-PACED 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

EDP  Concepts  for  Business  is  an  interactive  computer-based 
training  (CBT)  program.  The  student  receives  information  and  is 
coached  based  upon  the  answers  to  teaching  questions.  This  was 
designed  to  involve  the  student,  be  flexible,  and  be  responsive 
to  the  student’s  needs;  this  format  focuses  on  the  student.  You 
need  only  an  IBM  PC,  XT,  AT,  or  any  IBM-compatible  microcomputer 
with  at  least  192K  memory.  Call  the  vendor  for  more  information 
regarding  the  following  modules  that  have  been  selected  for  this 
particular  training  area: 

Module  1 -Computers  and  Their  Components 
Module  2-Data  and  Data  Processing 
Module  3-Programs  and  Languages 
Module  5-EDP  Personnel 
Module  6-Access  Control  and  Security 
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COURSE  TITLE:  Computer  Security  Awareness 
COURSE  LENGTH:  1 HR 


VENDOR 

Booz- Allen  & Hamilton  Inc. 

4330  East  West  Highway 
Bethesda,  MD  20814-4455 
Victor  Marshall 
(301)  951-4672 

The  purpose  of  this  course  is  to  provide  participants  with  an 
awareness  of  computer  security,  to  sensitize  them  to  the  need  for 
computer  security  policies  and  practices  in  the  workplace,  and  to 
motivate  each  individual  to  practice  effective  computer  security 
techniques.  The  instructional  content  of  the  course  is  composed 
of:requirements  of  computer-security-related  laws  and  circulares; 
definitions  and  examples  of  basic  computer  security  terms;  the 
increasing  concern  to  protect  computer  assets;  and  basic 
computer  practices,  controls,  and  countermeasures. 

NOTE: Contact  the  vendor  for  information  concerning  specialized 
agency  training. 

COURSE  ITILE:  Microcomputer  Security 
COURSE  LENGTH:  2 HRS 

VENDOR 

Booz- Allen  & Hamilton  Inc. 

4330  East  West  Highway 
Bethesda,  MD  20814-4455 
Victor  Marshall 
(301)  951-4672 

The  purpose  of  this  microcomputer  security  course  is  to  sensitize 
participants  to  the  need  for  microcomputer  security  and  to 
provide  each  individual  with  some  practical  tools  to  protect 
their  microcomputer  assets,  especially  the  stored  information. 

The  course  provides  practical  information  on  computer  security 
that  microcomputer  users  can  implement  immediately. 
NOTE:Contact  the  vendor  for  information  concerning  specialized 
agency  training. 
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COURSE  ITl'LE:  Computer  Security  Awareness 
COURSE  LENGTH:  5-8  HRS 


VENDOR 

DPEC 

1679  Old  Henderson  Road 
Columbus,  OH  43220-3644 
(800)  223-3732 

This  is  a Computer  Based  Training  (CBT)  course  using  the 
framework  of  administrative,  physical  and  logical  security. 
Computer  Security  Awareness  explains  contingency  planning  and 
precautions  against  computer  crime  from  the  viewpoint  of 
mainframe  computers  and  micros;  a computer  security  checklist  is 
included.  This  is  a modular  course  lasting  5-8  hours.  The 
number  of  hours  is  based  upon  a student  interacting  with 
approximately  60-120  screens  per  hour. 
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SECURITY  PLANNING  AND  MANAGEMENT 
FOR  END  USERS 


COURSE  TITLE:  DSRiNo  Fail  Methodology  For  Data  Security  Review 
COURSE  LENGTH:  3 DAY 

VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

The  DSR  is  a unique  and  tested  data  security  review  methodology 
that  provides  an  organization  with  a comprehensive,  usable 
analysis  and  evaluation  of  its  data  security  environment.  If  you 
have  been  using  an  unscientific  approach  to  review  data  security, 
you  will  appreciate  DSR  and  this  seminar’s  step-by-step 
application  of  its  structured  methodology.  You  will  use  DSR  and 
its  technical  documentation  to  conduct  an  actual  data  security 
review.  The  session’s  "hands-on"  approach  assures  that  you  take 
back  to  the  job  a cohesive  and  cost-effective  data  security 
program  and  a supporting  action  plan. 
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COURSE  TrrLE:  Information  Systems  Seminar  For  Internal  Auditors 
COURSE  LENGTH:  5 DAY 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

This  introductory  seminar  of  computer  concepts  and  controls  is 
designed  for  the  MIS  or  internal  auditing  professional  who  needs 
to  learn  about  basic  computer  concepts,  computer  controls  and 
security,  system  life  cycle  planning  and  control,  and  contingency 
planning.  Individuals  with  these  backgrounds  who  complete  this 
seminar  will  be  exposed  to  every  major  aspect  of  information 
systems  auditing  and  should  be  able,  with  the  tools  provided  in 
the  seminar,  to  perform  basic  IS  Audits.  In  addition,  the 
seminar  will  emphasize  how  ISA  is  integrated  with  the  internal 
audit  process.  This  is  a five-day,  classroom  program  consisting 
of  stand-alone  modules  that  can  be  presented  as  a whole  or 
modules  can  be  selected  to  provide  training  on  specific  subjects 
in  shorter-duration  programs.  Call  the  vendor  for  more 
information  regarding  the  following  modules  that  have  been 
selected  for  this  particular  training  area: 

Module  3-Getting  Started 

Module  4-Planning  the  IS  Audit 

Module  5-C)verview  of  the  ISA  Function 

Module  7- A Management  Approach  to  Computer  Fraud 

Module  8-Introduction  to  General  Controls 

Module  23-Introduction  to  Application  Control  Reviews 
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COURSE  TITLE:  EDP  Concepts  For  Business 
COURSE  LENGTH:  SELF-PACED 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

EDP  Concepts  for  Business  is  an  interactive  computer-based 
training  (CBT)  program.  The  student  receives  information  and  is 
coached  based  upon  the  answers  to  teaching  questions.  This  was 
designed  to  involve  the  student,  be  flexible,  and  be  responsive 
to  the  student’s  needs;  this  format  focuses  on  the  student.  You 
need  only  an  IBM  PC,  XT,  AT  or  any  IBM-compatible  microcomputer 
with  at  least  192K  memory.  Call  the  vendor  for  more  information 
regarding  the  following  module  that  has  been  selected  for  this 
particular  training  area: 

Module  6-Access  Control  and  Security 
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COMPUTER  SECURITY  POLICY  AND  PROCEDURES 
FOR  END  USERS 


COURSE  ITI  LE:  Computer  Security 
COURSE  LENGTH:  5 DAY 

VENDOR 

GSA  Training  Center 
P.O.  Box  15608 
Arlington,  VA  22215-0608 
(703)  557-0885 

Participants  learn  about  federal  computer  security  regulations 
and  guidelines  and  their  implementation  in  government  agencies. 
Topics  include:  a threat  overview,  national  computer  security 
policies,  an  overview  of  the  National  Institute  of  Standards  and 
Technology  and  the  National  Computer  Security  Center,  physical 
security  considerations,  microcomputer  security  considerations, 
introduction  to  risk  assessment,  qualitative  risk  assessment, 
quantitative  risk  assessment,  other  risk  assessment 
methodologies,  contingency  planning,  design  reviews  and  system 
tests,  and  security  certification  and  accreditation. 


COURSE  TITLE:  Computer  Security:For  Security  Professionals 
COURSE  LENGTH:  3 DAY 

VENDOR 

MIS  Training  Institute 
498  Concord  Street 
Framingham,  MA  01701 
(508)  879-7999 

The  purpose  of  this  seminar  is  to  take  the  mystery  out  of 
computer  and  network  technology.  You  will  learn  the  basics  of 
computer  and  telecommunications  systems,  and  how  they  are 
vulnerable  to  computer  crime,  abuse,  misuse,  errors,  and 
omissions.  In  a congenial  atmosphere  surrounded  by  your  own 
colleagues,  you  will  receive  guidelines  for  preventing, 
detecting,  and  responding  to  virus  and  other  criminal  attacks  and 
accidental  errors.  You  wiU  receive  models  for  using  these 
guidelines  to  protect  your  own  systems. 
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COURSE  TITLE:  Computer  VirusesiDetect,  Prevent,  Cure  Infections 
COURSE  LENGTH:  2 DAY 

VENDOR 

CENTER  for  Adv.  Professional  Develop. 

1820  E.  Garry  St. 

Santa  Ana,  CA  92705 
(714)  261-0240 

Most  of  those  who  work  with  computers  are  aware  of  the  existence 
of  something  called  "computer  virus,"  and  the  fact  that  it  may  be 
a danger  to  their  computers  or  data.  But  it  is  hard  to  get  good 
answers  to  the  questions  of  what,  exactly,  a virus  is,  how  great 
a danger  it  represents,  and  how  to  defend  against  any  damage  it 
might  cause.  Covering  technical  details  where  necessary,  but 
always  in  non-technical  language,  this  course  will  tell  you  what 
viri  are,  how  they  attack,  how  you  can  defend  against  them,  and 
what  the  existence  of  viri  mean  to  you  and  your  use  of  computers. 
The  course  wiU  give  you  a complete  overview  of  aU  known  ways 
that  viri  have  "reproduced,"  and  the  various  types  of  damage  they 
have  done.  New  viri  are  constantly  being  written  so  the  course 
is  constantly  being  updated. 
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COURSE  ITI  LE:  UNIX  Security  For  Users 
COURSE  LENGTH:  1 DAY 


VENDOR 

Trainix 

1686  Bismark  Drive 
Deltona,  FL  32723 
(904)  789-1769 

This  seminar  is  designed  to  make  all  users  aware  of  the  UNIX 
security  vulnerabilities  and  show  them  how  to  prevent  an 
unauthorized  user  from  compromising  their  login  account  or  data. 

The  security  features  which  are  provided  as  part  of  the  operating 
system  are  first  discussed.  Then,  some  of  the  ways  in  which 
unauthorized  people  may  use  to  gain  access  to  a UNIX  system  or 
another  users  files  and  directories  are  discussed.  Next,  the 
ways  of  preventing  unauthorized  access  are  described  in  detail, 
along  with  exact  descriptions  of  each  UNIX  command  and  the  way  it 
is  used.  Each  attendee  wiU  be  provided  with  a self-assessment 
checklist  and  sample  programs  which  will  allow  them  to  perform  a 
personal  audit  on  their  account.  The  seminar  concludes  with  a 
discussion  of  the  actions  a user  should  take  if  they  suspect 
compromise  of  their  login  and/or  files. 
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COURSE  ITl'LE:  Information  Systems  Seminar  For  Internal  Auditors 
COURSE  LENGTH:  5 DAY 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
Louisville,  KY  40232-9691 
(800)  289-5745 

This  introductory  seminar  of  computer  concepts  and  controls  is 
designed  for  the  MIS  or  internal  auditing  professional  who  needs 
to  learn  about  basic  computer  concepts,  computer  controls  and 
security,  system  life  cycle  planning  and  control,  and  contingency 
planning.  Individuals  with  these  backgrounds  who  complete  this 
seminar  will  be  exposed  to  every  major  aspect  of  information 
systems  auditing  and  should  be  able,  with  the  tools  provided  in 
the  seminar,  to  perform  basic  IS  Audits.  In  addition,  the 
seminar  wiU  emphasize  how  ISA  is  integrated  with  the  internal 
audit  process.  This  is  a five-day,  classroom  program  consisting 
of  stand-alone  modules  that  can  be  presented  as  a whole  or  in 
shorter-duration  programs.  Call  the  vendor  for  more  information 
regarding  the  following  modules  that  have  been  selected  for  this 
particular  training  area: 

Module  6-Overview  of  Computer  Operations 
Module  9- Organization  and  Administration 
Module  10- System  Development  Life  Cycle 
Module  11 -Change  Control  and  Management 
Module  13-"The  Time  Bomb" 

Module  14- Access  Control 
Module  16-Program  Execution 
Module  17-Continuity  of  Operations 
Module  20-Data  Bases 
Module  21 -Minicomputer  Systems 
Module  22-Microcomputer  Systems 
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COURSE  TITLE:  EDP  Concepts  For  Business 
COURSE  LENGTH:  SELF-PACED 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

EDP  Concepts  for  Business  is  an  interactive  computer-based 
training  (CBT)  program.  The  student  receives  information  and  is 
coached  based  upon  the  answers  to  teaching  questions.  This  was 
designed  to  involve  the  student,  be  flexible,  and  be  responsive 
to  the  student’s  needs;  this  format  focuses  on  the  student.  You 
need  only  an  IBM  PC,  XT,  AT,  or  any  IBM-compatible  microcomputer 
with  at  least  192K  memory.  Call  the  vendor  for  more  information 
regarding  the  following  modules  that  have  been  selected  for  this 
particular  training  area: 

Module  2-Data  and  Data  Processing 
Module  3-Programs  and  Languages 


COURSE  niLE:  Microcomputer  Security 
COURSE  LENGTH:  2 HRS 

VENDOR 

Booz-Allen  & Hamilton  Inc. 

4330  East  West  Highway 
Bethesda,  MD  20814-4455 
Victor  Marshall 
(301)  951-4672 

The  purpose  of  this  microcomputer  security  course  is  to  sensitize 
participants  to  the  need  for  microcomputer  security  and  to 
provide  each  individual  with  some  practical  tools  to  protect 
their  microcomputer  assets,  especially  the  stored  information. 

The  course  provides  practical  information  on  computer  security 
that  microcomputer  users  can  implement  immediately. 

NOTE: Contact  the  vendor  for  information  concerning  specialized 
agency  training. 


209 


CONTINGENCY  PLANNING 
FOR  END  USERS 


COURSE  TITLE:  Disaster  Recovery  Planning 
COURSE  LENGTH:  3 DAY 

VENDOR 

IBM  Management  Institute 
19th  Floor 
Chicago,  IL  60611 
(312)  245-3791 

The  real  objective  is  to  develop  and  maintain  recovery  capability 
- not  just  for  DP  but  - for  the  applications  critical  to  the 
conduct  of  business.  It  is  easier  and  cheaper  to  do  this  right. 

This  course  is  designed  for  those  who  wish  to  understand  the 
issues,  the  alternatives,  those  who  have  to  put  a recovery 
capability  into  place.  Teams  from  both  the  DP  and  user 
communities  are  encouraged  to  attend  together.  This  is  a 
management  course,  not  a technical  course  and  the  strategies 
discussed  are  independent  of  any  particular  hardware  of  software. 
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COURSE  ri  TLE:  Information  Systems  Seminar  For  Internal  Auditors 
COURSE  LENGTH:  5 DAY 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
Louisville,  KY  40232-9691 
(800)  289-5745 

This  introductory  seminar  of  computer  concepts  and  controls  is 
designed  for  the  MIS  or  internal  auditing  professional  who  needs 
to  learn  about  basic  computer  concepts,  computer  controls  and 
security,  system  life  cycle  planning  and  control,  and  contingency 
planning.  Individuals  with  these  backgrounds  who  complete  this 
seminar  will  be  exposed  to  every  major  aspect  of  information 
systems  auditing  and  should  be  able,  with  the  tools  provided  in 
the  seminar,  to  perform  basic  IS  Audits.  In  addition,  the 
seminar  will  emphasize  how  ISA  is  integrated  with  the  internal 
audit  process.  This  is  a five-day,  classroom  program  consisting 
of  stand-alone  modules  that  can  be  presented  as  a whole  or  in 
shorter-duration  programs.  Call  the  vendor  for  more  information 
regarding  the  following  modules  that  have  been  selected  for  this 
particular  training  area: 

Module  8-Introduction  to  General  Controls 
Module  17-Continuity  of  Operations 


211 


COURSE  TITLE:  EDP  Concepts  For  Business 
COURSE  LENGTH:  SELF-PACED 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

EDP  Concepts  for  Business  is  an  interactive  computer-based 
training  (CBT)  program.  The  student  receives  information  and  is 
coached  based  upon  the  answers  to  teaching  questions.  This  was 
designed  to  involve  the  student,  be  flexible,  and  be  responsive 
to  the  student’s  needs;  this  format  focuses  on  the  student.  You 
need  only  an  IBM  PC,  XT,  AT,  or  any  IBM-compatible  microcomputer 
with  at  least  192K  memory.  Call  the  vendor  for  more  information 
regarding  the  following  module  that  has  been  selected  for  this 
particular  training  area; 

Module  6- Access  Control  and  Security 

COURSE  TITLE:  Microcomputer  Security 
COURSE  LENGTH:  2 HRS 

VENDOR 

Booz-AUen  & Hamilton  Inc. 

4330  East  West  Highway 
Bethesda,  MD  20814-4455 
Victor  Marshall 
(301)  951-4672 

The  purpose  of  this  microcomputer  security  course  is  to  sensitize 
participants  to  the  need  for  microcomputer  security  and  to 
provide  each  individual  with  some  practical  tools  to  protect 
their  microcomputer  assets,  especially  the  stored  information. 

The  course  provides  practical  information  on  computer  security 
that  microcomputer  users  can  implement  immediately. 

NOTEiContact  the  vendor  for  information  concerning  specialized 
agency  training. 
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SYSTEMS  LIFE  CYCLE  MANAGEMENT 
FOR  END  USERS 


COURSE  ITl'LE:  Information  Systems  Seminar  For  Internal  Auditors 
COURSE  LENGTH:  5 DAY 

VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

This  introductory  seminar  of  computer  concepts  and  controls  is 
designed  for  the  MIS  or  internal  auditing  professional  who  needs 
to  learn  about  basic  computer  concepts,  computer  controls  and 
security,  system  life  cycle  planning  and  control,  and  contingency 
planning.  Individuals  with  these  backgrounds  who  complete  this 
seminar  will  be  exposed  to  every  major  aspect  of  information 
systems  auditing  and  should  be  able,  with  the  tools  provided  in 
the  seminar,  to  perform  basic  IS  Audits.  In  addition,  the 
seminar  wiU  emphasize  how  ISA  is  integrated  with  the  internal 
audit  process.  This  is  a five-day,  classroom  program  consisting 
of  stand-alone  modules  that  can  be  presented  as  a whole  or  in 
shorter-duration  programs.  Call  the  vendor  for  more  information 
regarding  the  following  modules  that  have  been  selected  for  this 
particular  training  area: 

Module  8-Introductibn  to  General  Controls 
Module  10- System  Development  Life  Cycle 
Module  11 -Change  Control  and  Management 
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COURSE  ITl'LE:  EDP  Concepts  For  Business 
COURSE  LENGTH:  SELF-PACED 


VENDOR 
Ernst  & Young 
P.O.  Box  34260 
LouisviUe,  KY  40232-9691 
(800)  289-5745 

EDP  Concepts  for  Business  is  an  interactive  computer-base 
training  (CBT)  program.  The  student  receives  information  and  is 
coached  based  upon  the  answers  to  teaching  questions.  This  was 
designed  to  involve  the  student,  be  flexible,  and  be  responsive 
to  the  student’s  needs;  this  format  focuses  on  the  student.  You 
need  only  an  IBM  PC,  XT,  AT,  or  any  IBM-compatible  microcomputer 
with  at  least  192K  memory.  CaU  the  vendor  for  more  information 
regarding  the  following  module  that  has  been  selected  for  this 
particular  training  area: 

Module  4-The  System  Development  Life  Cycle 

COURSE  ITILE:  Computer  Security  In  Application  Software 
COURSE  LENGTH:  2 DAY 

VENDOR 

Booz- Allen  & Hamilton  Inc. 

4330  East  West  Highway 
Bethesda,  MD  20814-4455 
Victor  Marshall 
(301)  951-4672 

This  course  presents  a logical  sequence  of  overall  computer 
security  activities  during  the  application  development  life 
cycle.  The  course  will  assist  application  developers,  sponsors, 
and  owners  in  identifying  security  activities  that  should  be 
considered  for  applications,  whether  they  are  being  developed, 
significantly  enhanced,  or  routinely  debugged.  This  course  is 
primarily  intended  for  application  software  managers  and  support 
personnel. 

NOTE:Contact  the  vendor  for  information  concerning  specialized 
agency  training. 

It  is  our  intention  to  update  this  document  as  the  need  arises 
and  we  welcome  any  comments  and  corrections  that  will  yield  a 
better  product.  Please  contact  Kathie  Everhart  (301)  975-3868. 
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Appendix  A 


TRAINING  MATRIX 


KEY:  TRAINING  LEVEL 
AWARENESS 
POUCY 

IMPLEMENTATION 

PERFORMANCE 
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NIST-1 14A  U.S.  DEPARTMENT  OF  COMMERCE 

(REV.  3-90)  NATIONAL  INSTITUTE  OF  STANDARDS  AND  TECHNOLOGY 

BIBLIOGRAPHIC  DATA  SHEET 


1.  PUBUCATION  OR  REPORT  NUMBER 

NISTIR  4846 


2.  PERFORMING  ORGANIZATION  REPORT  NUMBER 


3.  PUBUCATION  DATE 

May  1992 


4.  TITLE  AND  SUBTITLE 


Computer  Security  Training  & Awareness  Course  Compendium 


5.  AUTHOR(S) 

Kathie  Everhart 


Edi tor 


6.  PERFORMING  ORGANIZATION  (IF  JOINT  OR  OTHER  THAN  NIST,  SEE  INSTRUCTIONS) 
U.S.  DEPARTMENT  OF  COMMERCE 

NATIONAL  INSTITUTE  OF  STANDARDS  AND  TECHNOLOGY 
GAITHERSBURG,  MD  20899 


7.  CONTRACT/GRANT  NUMBER 


B.  TYPE  OF  REPORT  AND  PERIOD  COVERED 


9.  SPONSORING  ORGANIZATION  NAME  AND  COMPLETE  ADDRESS  (STREET,  QTY,  STATE,  ZIP) 


10.  SUPPLEMENTARY  NOTES 


11.  ABSTRACT  (A  200-WORD  OR  LESS  FACTUAL  SUMMARY  OF  MOST  SIGNIFICANT  INFORMATION.  IF  DOCUMENT  INCLUDES  A SIGNIFICANT  BIBUOGRAPHY  OR 
UTERATURE  SURVEY,  MENTION  IT  HERE.) 

The  training  and  awareness  courses  in  this  compendium  correspond  to  the  matrix  in  NIST 
Special  Publication  500-172,  Computer  Security  Training  Guidelines.  Special  Publication 
500-172  is  used  as  reference  under  the  0PM  regulation  that  implements  Public  Law  100-235, 
the  Computer  Security  Act  of  1987,  which  requires  training  for  all  employees  responsible 
for  the  management  and  use  of  federal  computer  systems  that  process  sensitive  information. 
Under  the  regulation,  agencies  will  be  re\sponsible  for  identifying  the  employees  to  be 
trained  and  providing  appropriate  training. 

This  publication  is  divided  into  five  audience  categories:  1)  Executives,  2)  Program/ 
Functional  Managers,  3)  IRM,  Security,  and  Audit  Personnel,  4)  ADP  Management,  Operations, 
and  Programming  Staff,  and  5)  End  Users.  In  addition  to  the  five  audience  categories,  there 
are  five  training  content  areas  for  each  audience  category:  1)  Computer  Security  Basics, 

2)  Security  Planning  & Management,  3)  Computer  Security  Policy  & Procedures,  4)  Contingency 
Planning,  and  5)  Systems  Life  Cycle  Management.  The  level  of  training  required  in  each 
area  will  vary  from  general  awareness  to  specific  training  courses  depending  on  the 
training  objectives  established  by  each  agency. 
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NTSTIR  4846 

Computer  Security  Course  Compendium 
June  23,  1992 


The  courses  for  the  vendor,  COMSIS,  did  not  make  it  into  the  first  printing  of  NTSTIR  4846. 


Table  of  Contents 

****  For  Addendum  **** 


COMPUTER  SECURITY  BASICS 

FOR  EXECUTIVES 1 

Federal  AIS  Computer  Security  Requirements 1 

SECURITY  PLANNING  AND  MANAGEMENT 

FOR  EXECUTIVES 2 

Federal  AIS  Computer  Security  Requirements 2 

Continuity  of  Operations/Disaster  Recovery  Planning:  Part  I 2 

Executive  AIS  Security  Briefing  2 

COMPUTER  SECURITY  POLICY  AND  PROCEDURES 

FOR  EXECUTIVES 3 

Federal  AIS  Computer  Security  Requirements 3 

Executive  AIS  Security  Briefing  3 

COMPUTER  SECURITY  BASICS 

FOR  PROGRAM  AND  FUNCTIONAL  MANAGERS 4 

Implementing  & Managing  a Computer  Security  Program  4 

Federal  AIS  Computer  Security  Requirements 4 

Risk  Assessment 4 

SECURITY  PLANNING  AND  MANAGEMENT 

FOR  PROGRAM  AND  FUNCTIONAL  MANAGERS 5 

Data  Communications  Security 5 

Implementing  & Managing  a Computer  Security  Program  5 

Application  Security  Reviews 5 

Federal  AIS  Computer  Security  Requirements 6 

Continuity  of  Operations/Disaster  Recovery  Planning:  Part  I 6 

Continuity  of  Operations/Disaster  Recovery  Planning:  Part  II  Workshop  6 

Physical  Security  for  Data  Processing  7 

Risk  Assessment 7 


i 


COMPUTER  SECURITY  POLICY  AND  PROCEDURES 

FOR  PROGRAM  AND  FUNCTIONAL  MANAGERS 8 

Implementing  & Managing  a Computer  Security  Program  8 

Federal  AIS  Computer  Security  Requirements 8 

Continuity  of  Operations/Disaster  Recovery  Planning:  Part  I 8 


CONTINGENCY  PLANNING 

FOR  PROGRAM  AND  FUNCTIONAL  MANAGERS  . 9 

Data  Communications  Security 9 

Application  Security  Reviews 9 

Continuity  of  Operations/Disaster  Recovery  Planning:  Part  I 9 

Continuity  of  Operations/Disaster  Recovery  Planning:  Part  II  Workshop  10 

Physical  Security  for  Data  Processing  10 


SYSTEMS  LIFE  CYCLE  MANAGEMENT 

FOR  PROGRAM  AND  FUNCTIONAL  MANAGERS  11 

Implementing  & Managing  a Computer  Security  Program  11 

Risk  Assessment 11 

Application  Security  Reviews  11 


COMPUTER  SECURITY  BASICS 

FOR  IRM,  SECURITY,  AND  AUDIT 12 

Implementing  & Managing  a Computer  Security  Program  12 

Federal  AIS  Computer  Security  Requirements 12 

Risk  Assessment  12 

SECURITY  PLANNING  AND  MANAGEMENT 

FOR  IRM,  SECURITY,  AND  AUDIT 13 

Data  Communications  Security 13 

Implementing  & Managing  a Computer  Security  Program  13 

Application  Security  Reviews 13 

Federal  AIS  Computer  Security  Requirements 14 

Continuity  of  Operations/Disaster  Recovery  Planning:  Part  I 14 

Continuity  of  Operations/Disaster  Recovery  Planning:  Part  II  Workshop  14 

Risk  Assessment 15 

Physical  Security  for  Data  Processing  15 


II 


COMPUTER  SECURITY  POLICY  AND  PROCEDURES 

FOR  IRM,  SECURITY,  AND  AUDIT 16 

Implementing  & Managing  a Computer  Security  Program  16 

Federal  AIS  Computer  Security  Requirements 16 

Continuity  of  Operations/Disaster  Recovery  Planning:  Part  I 16 


CONTINGENCY  PLANNING 

FOR  IRM,  SECURITY,  AND  AUDIT 17 

Data  Communications  Security 17 

Application  Security  Reviews 17 

Continuity  of  Operations/Disaster  Recovery  Planning:  Part  I 17 

Continuity  of  Operations/Disaster  Recovery  Planning:  Part  II  Workshop  18 

Physical  Security  for  Data  Processing  18 


SYSTEMS  LIFE  CYCLE  MANAGEMENT 

FOR  IRM,  SECURITY,  AND  AUDIT 19 

Implementing  & Managing  a Computer  Security  Program  19 

Risk  Assessment 19 

Application  Security  Reviews 19 


COMPUTER  SECURITY  BASICS 

FOR  ADP  MANAGEMENT  AND  OPERATIONS 20 

Federal  AIS  Computer  Security  Requirements 20 

Implementing  & Managing  a Computer  Security  Program  20 

Computer  Security  for  the  End-User  20 

Risk  Assessment 21 


SECURITY  PLANNING  AND  MANAGEMENT 

FOR  ADP  MANAGEMENT  AND  OPERATIONS 22 

Data  Communications  Security 22 

Implementing  & Managing  a Computer  Security  Program  22 

Application  Security  Reviews 22 

Federal  AIS  Computer  Security  Requirements 23 

Continuity  of  Operations/Disaster  Recovery  Planning:  Part  I 23 

Continuity  of  Operations/Disaster  Recovery  Planning:  Part  II  Workshop  23 

Physical  Security  for  Data  Processing  24 

Risk  Assessment 24 


III 


COMPUTER  SECURITY  POLICY  AND  PROCEDURES 

FOR  ADP  MANAGEMENT  AND  OPERATIONS 25 

Implementing  & Managing  a Computer  Security  Program  25 

Federal  AIS  Computer  Security  Requirements  25 

Continuity  of  Operations/Disaster  Recovery  Planning:  Part  I 25 

CONTINGENCY  PLANNING 

FOR  ADP  MANAGEMENT  AND  OPERATIONS 26 

Application  Security  Reviews 26 

Data  Communications  Security 26 

Continuity  of  Operations/Disaster  Recovery  Planning:  Part  I . 26 

Continuity  of  Operations/Disaster  Recovery  Planning:  Part  II  Workshop  27 

Physical  Security  for  Data  Processing  27 

SYSTEMS  LIFE  CYCLE  MANAGEMENT 

FOR  ADP  MANAGEMENT  AND  OPERATIONS  28 

Implementing  & Managing  a Computer  Security  Program  28 

Risk  Assessment 28 

Application  Security  Reviews 28 

COMPUTER  SECURITY  BASICS 

FOR  END  USERS  29 

Computer  Security  for  the  End-User  29 

Federal  AIS  Computer  Security  Requirements 29 

Risk  Assessment 29 

SECURITY  PLANNING  AND  MANAGEMENT 

FOR  END  USERS  30 

Federal  AIS  Computer  Security  Requirements 30 

Continuity  of  Operations/Disaster  Recovery  Planning:  Part  I 30 

Continuity  of  Operations/Disaster  Recovery  Planning:  Part  II  Workshop  30 

Physical  Security  for  Data  Processing  31 

Risk  Assessment 31 

COMPUTER  SECURITY  POLICY  AND  PROCEDURES 

FOR  END  USERS  .... .... ...... ..... 32 

Federal  AIS  Computer  Security  Requirements 32 


IV 


CONTINGENCY  PLANNING 

FOR  END  USERS  33 

Continuity  of  Operations/Disaster  Recovery  Planning:  Part  I 33 

Continuity  of  Operations/Disaster  Recovery  Planning:  Part  II  Workshop  33 

Physical  Security  for  Data  Processing  33 

SYSTEMS  LIFE  CYCLE  MANAGEMENT 

FOR  END  USERS  34 

Risk  Assessment 34 


V 


jiS*y  ■ .,'7iSt'  i^.  , #-•  ‘ . 


j” : ^ymymn 

y:  \ y.  r\  ^ ,^,v. , . 

■•  ^ -'^  V‘.i4 ;"V;-^'’-''  !^/ 


•«*■■  .aii-.  •...  jb' 


COMPUTER  SECURITY  BASICS 
FOR  EXECUTIVES 


COURSE  TITLE:  Eederal  AIS  Computer  Security  Requirements 
COURSE  LENGTH:  1 DAY 


VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 


This  course  begins  with  a review  of  the  Federal  Computer  Security  framework  and  an 
introduction  to  the  key  players  and  legislation  that  has  shaped  Federal  Computer  Security  policy. 
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SECURITY  PLANNING  AND  MANAGEMENT 
FOR  EXECUTIVES 


COURSE  TITLE:  Federal  AIS  Computer  Security  Requirements 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  begins  with  a review  of  the  Federal  Computer  Security  framework  and  an 
introduction  to  the  key  players  and  legislation  that  has  shaped  Federal  Computer  Security  policy. 


COURSE  TITLE:  Continuity  of  Operations/Disaster  Recovery  Planning:  Part  I 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  outlines  the  steps  to  be  performed  to  determine  backup/recovery  requirements,  and 
effectively  plan  and  develop  a COOP/DRP  for  both  applications  and  installations. 

COURSE  TITLE:  Executive  AIS  Security  Briefing 
COURSE  LENGTH:  1/2  DAY 

VENDOR 

COMSIS 

8737  ColesviUe  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  provides  a brief  overview  of  Federal  Computer  Security  requirements  and  objectives 
and  explores  Senior  Managements  role  in  protecting  assets. 
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COMPUTER  SECURITY  POLICY  AND  PROCEDURES 
FOR  EXECUTIVES 


COURSE  TITLE:  Federal  AIS  Computer  Security  Requirements 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1 100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  begins  with  a review  of  the  Federal  Computer  Security  framework  and  an 
introduction  to  the  key  players  and  legislation  that  has  shaped  Federal  Computer  Security  policy. 


COURSE  TITLE:  Executive  AIS  Security  Briefing 
COURSE  LENGTH:  1/2  DAY 

VENDOR 

COMSIS 

8737  ColesviUe  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  provides  a brief  overview  of  Federal  Computer  Security  requirements  and  objectives 
and  explores  Senior  Managements  role  in  protecting  assets. 
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COMPUTER  SECURITY  BASICS 
FOR  PROGRAM  AND  FUNCTIONAL  MANAGERS 


COURSE  TITLE:  Implementing  & Managing  a Computer  Security  Program 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  ColesviUe  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  an  overview  of  a computer  security  program,  and  describes  the  requirements 
and  rationale  for  each  program  element. 


COURSE  TITLE:  Federal  AIS  Computer  Security  Requirements 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  ColesviUe  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  begins  with  a review  of  the  Federal  Computer  Security  framework  and  an 
introduction  to  the  key  players  and  legislation  that  has  shaped  Federal  Computer  Security  policy. 


COURSE  TITLE:  Risk  Assessment 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  ColesviUe  Road,  Suite  1 100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  a global  examination  of  computer  security  risk  assessment  and  the 
techniques  for  applying  risk  assessment. 
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SECURITY  PLANNING  AND  MANAGEMENT 
FOR  PROGRAM  AND  FUNCTIONAL  MANAGERS 


COURSE  TITLE:  Data  Communications  Security 
COURSE  LENGTH:  2 1/2  DAYS 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  an  overview  of  network  processing  technologies,  security  threats, 
safeguards,  and  protection  strategies.  The  data  communications  environments  covered  in  this 
course  include  Local  Area  Networks,  Wide  Area  Networks,  Distributed  Data  Processing,  and 
remote  mainframe  access. 


COURSE  TITLE:  Implementing  & Managing  a Computer  Security  Program 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  an  overview  of  a computer  security  program,  and  describes  the  requirements 
and  rationale  for  each  program  element. 


COURSE  TITLE:  Application  Security  Reviews 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  examines  the  requirements  and  objectives  of  application  security  and  describes  the 
techniques  and  tools  for  conducting  application  security  reviews.  The  course  includes  the 
planning  process,  review  of  the  baseline  security  goals,  sensitivity  and  criticality  determination, 
data  collection  methods,  and  control  weaknesses  and  safeguards  determination. 
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COURSE  TITLE:  Federal  AIS  Computer  Security  Requirements 
COURSE  LENGTH:  1 DAY 


VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  begins  with  a review  of  the  Federal  Computer  Security  framework  and  an 
introduction  to  the  key  players  and  legislation  that  has  shaped  Federal  Computer  Security  policy. 


COURSE  TITLE:  Continuity  of  Operations/Disaster  Recovery  Planning:  Part  I 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  outlines  the  steps  to  be  performed  to  determine  backup/recovery  requirements,  and 
effectively  plan  and  develop  a COOP/DRP  for  both  applications  and  installations. 


COURSE  TITLE:  Continuity  of  Operations/Disaster  Recovery  Planning:  Part  II  Workshop 
COURSE  LENGTH:  3 DAYS 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1 100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  will  be  specifically  tailored  toward  the  individual  course  audiences’  environment. 
To  accomplish  this,  research  questionnaires  must  be  completed  by  course  participants  prior  to 
attending.  These  questionnaires  will  provide  the  baseline  hardware,  software,  physical,  and 
operational  environments  critical  to  the  development  of  a discreet  COOP/DRP. 
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COURSE  TITLE:  Physical  Security  for  Data  Processing 
COURSE  LENGTH:  2 DAYS 


VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  essential  training  to  personnel  in  the  areas  of  physical  and  environmental 
security  in  both  large  scale  (mainframes)  and  small  scale  (PC)  processing  environments. 


COURSE  TITLE:  Risk  Assessment 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  a global  examination  of  computer  security  risk  assessment  and  the 
techniques  for  applying  risk  assessment. 


7 


COMPUTER  SECURITY  POLICY  AND  PROCEDURES 
FOR  PROGRAM  AND  FUNCTIONAL  MANAGERS 


COURSE  TITLE:  Implementing  & Managing  a Computer  Security  Program 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  ColesviUe  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  an  overview  of  a computer  security  program,  and  describes  the  requirements 
and  rationale  for  each  program  element. 


COURSE  TITLE:  Federal  A IS  Computer  Security  Requirements 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  ColesviUe  Road,  Suite  1 100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  begins  with  a review  of  the  Federal  Computer  Security  framework  and  an 
introduction  to  the  key  players  and  legislation  that  has  shaped  Federal  Computer  Security  policy. 


COURSE  TITLE:  Continuity  of  Operations/Disaster  Recovery  Planning:  Part  I 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  ColesviUe  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  outlines  the  steps  to  be  performed  to  determine  backup/recovery  requirements,  and 
effectively  plan  and  develop  a COOP/DRP  for  both  applications  and  installations. 
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CONTINGENCY  PLANNING 
FOR  PROGRAM  AND  FUNCTIONAL  MANAGERS 


COURSE  TITLE:  Data  Communications  Security 
COURSE  LENGTH:  2 1/2  DAYS 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  an  overview  of  network  processing  technologies,  security  threats, 
safeguards,  and  protection  strategies.  The  data  communications  environments  covered  in  this 
course  include  Local  Area  Networks,  Wide  Area  Networks,  Distributed  Data  Processing,  and 
remote  mainframe  access. 


COURSE  TITLE:  Application  Security  Reviews 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  examines  the  requirements  and  objectives  of  application  security  and  describes  the 
techniques  and  tools  for  conducting  application  security  reviews.  The  course  includes  the 
planning  process,  review  of  the  baseline  security  goals,  sensitivity  and  criticality  determination, 
data  collection  methods,  and  control  weaknesses  and  safeguards  determination. 


COURSE  TITLE:  Continuity  of  Operations/Disaster  Recovery  Planning:  Part  I 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  outlines  the  steps  to  be  performed  to  determine  backup/recovery  requirements,  and 
effectively  plan  and  develop  a COOP/DRP  for  both  applications  and  installations. 
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COURSE  TITLE:  Continuity  of  Operations/Disaster  Recovery  Planning:  Part  13  Workshop 
COURSE  LENGTH:  3 DAYS 


VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  will  be  specifically  tailored  toward  the  individual  course  audiences’  environment. 
To  accomplish  this,  research  questionnaires  must  be  completed  by  course  participants  prior  to 
attending.  TTiese  questionnaires  will  provide  the  baseline  hardware,  software,  physical,  and 
operational  environments  critical  to  the  development  of  a discreet  COOP/DRP. 


COURSE  TITLE:  Physical  Security  for  Data  Processing 
COURSE  LENGTH:  2 DAYS 

VENDOR 

COMSIS 

8737  ColesviUe  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  essential  training  to  personnel  in  the  areas  of  physical  and  environmental 
security  in  both  large  scale  (mainframes)  and  small  scale  (PC)  processing  environments. 
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SYSTEMS  LIFE  CYCLE  MANAGEMENT 
FOR  PROGRAM  AND  FUNCTIONAL  MANAGERS 


COURSE  TITLE:  Implementing  & Managing  a Computer  Security  Program 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  an  overview  of  a computer  security  program,  and  describes  the  requirements 
and  rationale  for  each  program  element. 


COURSE  TITLE:  Risk  Assessment 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1 100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  a global  examination  of  computer  security  risk  assessment  and  the 
techniques  for  applying  risk  assessment. 


COURSE  TITLE:  Application  Security  Reviews 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  examines  the  requirements  and  objectives  of  application  security  and  describes  the 
techniques  and  tools  for  conducting  application  security  reviews.  The  course  includes  the 
planning  process,  review  of  the  baseline  security  goals,  sensitivity  and  criticality  determination, 
data  collection  methods,  and  control  weaknesses  and  safeguards  determination. 
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COMPUTER  SECURITY  BASICS 
FOR  IRM,  SECURITY,  AND  AUDIT 


COURSE  TITLE:  Implementing  & Managing  a Computer  Security  Program 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1 100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  an  overview  of  a computer  security  program,  and  describes  the  requirements 
and  rationale  for  each  program  element. 


COURSE  TITLE:  Federal  AIS  Computer  Security  Requirements 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  begins  with  a review  of  the  Federal  Computer  Security  framework  and  an 
introduction  to  the  key  players  and  legislation  that  has  shaped  Federal  Computer  Security  policy. 


COURSE  TITLE:  Risk  Assessment 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1 100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  a global  examination  of  computer  security  risk  assessment  and  the 
techniques  for  applying  risk  assessment. 
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SECURITY  PLANNING  AND  MANAGEMENT 
FOR  IRM,  SECURITY,  AND  AUDIT 


COURSE  TITLE:  Data  Communications  Security 
COURSE  LENGTH:  2 1/2  DAYS 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  an  overview  of  network  processing  technologies,  security  threats, 
safeguards,  and  protection  strategies.  The  data  communications  environments  covered  in  this 
course  include  Local  Area  Networks,  Wide  Area  Networks,  Distributed  Data  Processing,  and 
remote  mainframe  access. 


COURSE  TITLE:  Implementing  & Managing  a Computer  Security  Program 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  an  overview  of  a computer  security  program,  and  describes  the  requirements 
and  rationale  for  each  program  element. 


COURSE  TITLE:  Application  Security  Reviews 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  examines  the  requirements  and  objectives  of  application  security  and  describes  the 
techniques  and  tools  for  conducting  application  security  reviews.  The  course  includes  the 
planning  process,  review  of  the  baseline  security  goals,  sensitivity  and  criticality  determination, 
data  collection  methods,  and  control  weaknesses  and  safeguards  determination. 
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COURSE  TITLE:  Federal  AIS  Computer  Security  Requirements 
COURSE  LENGTH:  1 DAY 


VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  begins  with  a review  of  the  Federal  Computer  Security  framework  and  an 
introduction  to  the  key  players  and  legislation  that  has  shaped  Federal  Computer  Security  policy. 


COURSE  TITLE:  Continuity  of  Operations/Disaster  Recovery  Planning:  Part  I 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  ColesviUe  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  outlines  the  steps  to  be  performed  to  determine  backup/recovery  requirements,  and 
effectively  plan  and  develop  a COOP/DRP  for  both  applications  and  installations. 


COURSE  TITLE:  Continuity  of  Operations/Disaster  Recovery  Planning:  Part  n Workshop 
COURSE  LENGTH:  3 DAYS 

VENDOR 

COMSIS 

8737  ColesviUe  Road,  Suite  1 100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  will  be  specifically  tailored  toward  the  individual  course  audiences’  environment.  To 
accomplish  this,  research  questionnaires  must  be  completed  by  course  participants  prior  to 
attending.  These  questionnaires  will  provide  the  baseUne  hardware,  software,  physical,  and 
operational  environments  critical  to  the  development  of  a discreet  COOP/DRP. 
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COURSE  TITLE:  Risk  Assessment 
COURSE  LENGTH:  1 DAY 


VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  a global  examination  of  computer  security  risk  assessment  and  the 
techniques  for  applying  risk  assessment. 


COURSE  TITLE:  Physical  Security  for  Data  Processing 
COURSE  LENGTH:  2 DAYS 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1 100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  essential  training  to  personnel  in  the  areas  of  physical  and  environmental 
security  in  both  large  scale  (mainframes)  and  small  scale  (PC)  processing  environments. 
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COMPUTER  SECURITY  POLICY  AND  PROCEDURES 
FOR  IRM,  SECURITY,  AND  AUDIT 


COURSE  TITLE:  Implementing  & Managing  a Computer  Security  Program 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  ColesviUe  Road,  Suite  1 100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  an  overview  of  a computer  security  program,  and  describes  the  requirements 
and  rationale  for  each  program  element. 


COURSE  TITLE:  Federal  AIS  Computer  Security  Requirements 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  ColesviUe  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  begins  with  a review  of  the  Federal  Computer  Security  framework  and  an 
introduction  to  the  key  players  and  legislation  that  has  shaped  Federal  Computer  Security  policy. 


COURSE  TITLE:  Continuity  of  Operations/Disaster  Recovery  Planning:  Part  I 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  ColesviUe  Road,  Suite  1 100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  outlines  the  steps  to  be  performed  to  determine  backup/recovery  requirements,  and 
effectively  plan  and  develop  a COOP/DRP  for  both  applications  and  installations. 
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CONTINGENCY  PLANNING 
FOR  IRM,  SECURITY,  AND  AUDIT 


COURSE  TITLE:  Data  Communications  Security 
COURSE  LENGTH:  2 1/2  DAYS 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  an  overview  of  network  processing  technologies,  security  threats, 
safeguards,  and  protection  strategies.  The  data  communications  environments  covered  in  this 
course  include  Local  Area  Networks,  Wide  Area  Networks,  Distributed  Data  Processing,  and 
remote  mainframe  access. 


COURSE  TITLE:  Application  Security  Reviews 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1 100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  examines  the  requirements  and  objectives  of  application  security  and  describes  the 
techniques  and  tools  for  conducting  application  security  reviews.  The  course  includes  the 
planning  process,  review  of  the  baseline  security  goals,  sensitivity  and  criticality  determination, 
data  collection  methods,  and  control  weaknesses  and  safeguards  determination. 


COURSE  TITLE:  Continuity  of  Operations/Disaster  Recovery  Planning:  Part  I 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1 100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  outlines  the  steps  to  be  performed  to  determine  backup/recovery  requirements,  and 
effectively  plan  and  develop  a COOP/DRP  for  both  applications  and  installations. 
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COURSE  TITLE:  Continuity  of  Operations/Disaster  Recovery  Planning:  Part  n Workshop 
COURSE  LENGTH:  3 DAYS 


VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  will  be  specifically  tailored  toward  the  individual  course  audiences’  environment.  To 
accomplish  this,  research  questionnaires  must  be  completed  by  course  participants  prior  to 
attending.  These  questionnaires  will  provide  the  baseline  hardware,  software,  physical,  and 
operational  environments  critical  to  the  development  of  a discreet  COOP/DRP. 


COURSE  TITLE:  Physical  Security  for  Data  Processing 
COURSE  LENGTH:  2 DAYS 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1 100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  essential  training  to  personnel  in  the  areas  of  physical  and  environmental 
security  in  both  large  scale  (mainframes)  and  small  scale  (PC)  processing  environments. 
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SYSTEMS  LIFE  CYCLE  MANAGEMENT 
FOR  IRM,  SECURITY,  AND  AUDIT 


COURSE  TITLE:  Implementing  & Managing  a Computer  Security  Program 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1 100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  an  overview  of  a computer  security  program,  and  describes  the  requirements 
and  rationale  for  each  program  element. 


COURSE  TITLE:  Risk  Assessment 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  a global  examination  of  computer  security  risk  assessment  and  the 
techniques  for  applying  risk  assessment. 


COURSE  TITLE:  Application  Security  Reviews 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  examines  the  requirements  and  objectives  of  application  security  and  describes  the 
techniques  and  tools  for  conducting  application  security  reviews.  The  course  includes  the 
planning  process,  review  of  the  baseline  security  goals,  sensitivity  and  criticality  determination, 
data  collection  methods,  and  control  weaknesses  and  safeguards  determination. 
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COMPUTER  SECURITY  BASICS 
FOR  ADP  MANAGEMENT  AND  OPERATIONS 


COURSE  TITLE:  Federal  AIS  Computer  Security  Requirements 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  begins  with  a review  of  the  Federal  Computer  Security  framework  and  an 
introduction  to  the  key  players  and  legislation  that  has  shaped  Federal  Computer  Security  policy. 


COURSE  TITLE:  Implementing  & Managing  a Computer  Security  Program 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  an  overview  of  a computer  security  program,  and  describes  the  requirements 
and  rationale  for  each  program  element. 


COURSE  TITLE:  Computer  Security  for  the  End-User 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1 100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  provides  training  to  end-users  who  operate  sensitive  and  mission-critical  systems 
and/or  rely  upon  automated  information  systems  to  perform  their  work. 
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COURSE  TITLE:  Risk  Assessment 
COURSE  LENGTH:  1 DAY 


VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  a global  examination  of  computer  security  risk  assessment  and  the 
techniques  for  applying  risk  assessment. 
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SECURITY  PLANNING  AND  MANAGEMENT 
FOR  ADP  MANAGEMENT  AND  OPERATIONS 


COURSE  TITLE:  Data  Communications  Security 
COURSE  LENGTH:  2 1/2  DAYS 

VENDOR 

COMSIS 

8737  ColesviUe  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  an  overview  of  network  processing  technologies,  security  threats, 
safeguards,  and  protection  strategies.  The  data  communications  environments  covered  in  this 
course  include  Local  Area  Networks,  Wide  Area  Networks,  Distributed  Data  Processing,  and 
remote  mainframe  access. 


COURSE  TITLE:  Implementing  & Managing  a Computer  Security  Program 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  ColesviUe  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  an  overview  of  a computer  security  program,  and  describes  the  requirements 
and  rationale  for  each  program  element. 


COURSE  TITLE:  Application  Security  Reviews 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  ColesviUe  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  examines  the  requirements  and  objectives  of  application  security  and  describes  the 
techniques  and  tools  for  conducting  application  security  reviews.  The  course  includes  the 
planning  process,  review  of  the  baseUne  security  goals,  sensitivity  and  criticality  determination, 
data  collection  methods,  and  control  weaknesses  and  safeguards  determination. 
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COURSE  TITLE:  Federal  AIS  Computer  Security  Requirements 
COURSE  LENGTH:  1 DAY 


VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  begins  with  a review  of  the  Federal  Computer  Security  framework  and  an 
introduction  to  the  key  players  and  legislation  that  has  shaped  Federal  Computer  Security  policy. 


COURSE  TITLE:  Continuity  of  Operations/Disaster  Recovery  Planning:  Part  1 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  outlines  the  steps  to  be  performed  to  determine  backup/recovery  requirements,  and 
effectively  plan  and  develop  a COOP/DRP  for  both  applications  and  installations. 


COURSE  TITLE:  Continuity  of  Operations/Disaster  Recovery  Planning:  Part  II  Workshop 
COURSE  LENGTH:  3 DAYS 

VENDOR 

COMSIS 

8737  ColesviUe  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  will  be  specifically  tailored  toward  the  individual  course  audiences’  environment. 
To  accomplish  this,  research  questionnaires  must  be  completed  by  course  participants  prior  to 
attending.  These  questionnaires  will  provide  the  basehne  hardware,  software,  physical,  and 
operational  environments  critical  to  the  development  of  a discreet  COOP/DRP. 
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COURSE  TITLE:  Physical  Security  for  Data  Processing 
COURSE  LENGTH:  2 DAYS 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  essential  training  to  personnel  in  the  areas  of  physical  and  environmental 
security  in  both  large  scale  (mainframes)  and  small  scale  (PC)  processing  environments. 

COURSE  TITLE:  Risk  Assessment 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1 100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  a global  examination  of  computer  security  risk  assessment  and  the 
techniques  for  applying  risk  assessment. 
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COMPUTER  SECURITY  POLICY  AND  PROCEDURES 
FOR  ADP  MANAGEMENT  AND  OPERATIONS 


COURSE  TITLE:  Implementing  & Managing  a Computer  Security  Program 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1 100 
Silver  Spring,  MD  20910 
(301)  588-5922 


This  course  provides  an  overview  of  a computer  security  program,  and  describes  the  requirements 
and  rationale  for  each  program  element. 


COURSE  TITLE:  Federal  AIS  Computer  Security  Requirements 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  begins  with  a review  of  the  Federal  Computer  Security  framework  and  an 
introduction  to  the  key  players  and  legislation  that  has  shaped  Federal  Computer  Security  policy. 


COURSE  TITLE:  Continuity  of  Operations/Disaster  Recovery  Planning:  Part  I 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1 100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  outlines  the  steps  to  be  performed  to  determine  backup/recovery  requirements,  and 
effectively  plan  and  develop  a COOP/DRP  for  both  applications  and  installations. 
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CONTINGENCY  PLANNING 
FOR  ADP  MANAGEMENT  AND  OPERATIONS 


COURSE  TITLE:  Application  Security  Reviews 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  examines  the  requirements  and  objectives  of  application  security  and  describes  the 
techniques  and  tools  for  conducting  application  security  reviews.  The  course  includes  the 
planning  process,  review  of  the  baseline  security  goals,  sensitivity  and  criticality  determination, 
data  collection  methods,  and  control  weaknesses  and  safeguards  determination. 


COURSE  TITLE:  Data  Communications  Security 
COURSE  LENGTH:  2 1/2  DAYS 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  an  overview  of  network  processing  technologies,  security  threats, 
safeguards,  and  protection  strategies.  The  data  communications  environments  covered  in  this 
course  include  Local  Area  Networks,  Wide  Area  Networks,  Distributed  Data  Processing,  and 
remote  mainframe  access. 


COURSE  TITLE:  Continuity  of  Operations/Disaster  Recovery  Planning:  Part  I 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  ColesviUe  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  outlines  the  steps  to  be  performed  to  determine  backup/recovery  requirements,  and 
effectively  plan  and  develop  a COOP/DRP  for  both  applications  and  installations. 
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COURSE  TITLE:  Continuity  of  Operations/Disaster  Recovery  Planning:  Part  II  Workshop 
COURSE  LENGTH:  3 DAYS 


VENDOR 

COMSIS 

8737  ColesviUe  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  will  be  specifically  tailored  toward  the  individual  course  audiences’  environment. 
To  accomplish  this,  research  questionnaires  must  be  completed  by  course  participants  prior  to 
attending.  These  questionnaires  will  provide  the  baseline  hardware,  software,  physical,  and 
operational  environments  critical  to  the  development  of  a discreet  COOP/DRP. 


COURSE  TITLE:  Physical  Security  for  Data  Processing 
COURSE  LENGTH:  2 DAYS 

VENDOR 

COMSIS 

8737  ColesviUe  Road,  Suite  1 100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  essential  training  to  personnel  in  the  areas  of  physical  and  environmental 
security  in  both  large  scale  (mainframes)  and  smaU  scale  (PC)  processing  environments. 
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SYSTEMS  LIFE  CYCLE  MANAGEMENT 
FOR  ADP  MANAGEMENT  AND  OPERATIONS 


COURSE  TITLE:  Implementing  & Managing  a Computer  Security  Program 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  ColesviUe  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  an  overview  of  a computer  security  program,  and  describes  the  requirements 
and  rationale  for  each  program  element. 


COURSE  TITLE:  Risk  Assessment 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  ColesviUe  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  a global  examination  of  computer  security  risk  assessment  and  the 
techniques  for  applying  risk  assessment. 


COURSE  TITLE:  Application  Security  Reviews 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  ColesviUe  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  examines  the  requirements  and  objectives  of  application  security  and  describes  the 
techniques  and  tools  for  conducting  application  security  reviews.  The  course  includes  the 
planning  process,  review  of  the  baseline  security  goals,  sensitivity  and  criticality  determination, 
data  collection  methods,  and  control  weaknesses  and  safeguards  determination. 
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COMPUTER  SECURITY  BASICS 
FOR  END  USERS 


COURSE  TITLE:  Computer  Security  for  the  End-User 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  provides  training  to  end-users  who  operate  sensitive  and  mission-critical  systems 
and/or  rely  upon  automated  information  systems  to  perform  their  work. 


COURSE  TITLE:  Federal  AIS  Computer  Security  Requirements 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1 100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  begins  with  a review  of  the  Federal  Computer  Security  framework  and  an 
introduction  to  the  key  players  and  legislation  that  has  shaped  Federal  Computer  Security  policy. 


COURSE  TITLE:  Risk  Assessment 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  a global  examination  of  computer  security  risk  assessment  and  the 
techniques  for  applying  risk  assessment. 
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SECURITY  PLANNING  AND  MANAGEMENT 
FOR  END  USERS 


COURSE  TITLE:  Federal  AIS  Computer  Security  Requirements 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  begins  with  a review  of  the  Federal  Computer  Security  framework  and  an 
introduction  to  the  key  players  and  legislation  that  has  shaped  Federal  Computer  Security  policy. 


COURSE  TITLE:  Continuity  of  Operations/Disaster  Recovery  Planning:  Part  1 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  outlines  the  steps  to  be  performed  to  determine  backup/recovery  requirements,  and 
effectively  plan  and  develop  a COOP/DRP  for  both  applications  and  installations. 


COURSE  TITLE:  Continuity  of  Operations/Disaster  Recovery  Planning:  Part  n Workshop 
COURSE  LENGTH:  3 DAYS 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  will  be  specifically  tailored  toward  the  individual  course  audiences’  environment. 
To  accomplish  this,  research  questionnaires  must  be  completed  by  course  participants  prior  to 
attending.  These  questionnaires  will  provide  the  baseline  hardware,  software,  physical,  and 
operational  environments  critical  to  the  development  of  a discreet  COOP/DRP. 
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COURSE  TITLE:  Physical  Security  for  Data  Processing 
COURSE  LENGTH:  2 DAYS 


VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  essential  training  to  personnel  in  the  areas  of  physical  and  environmental 
security  in  both  large  scale  (mainframes)  and  small  scale  (PC)  processing  environments. 


COURSE  TITLE:  Risk  Assessment 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  a global  examination  of  computer  security  risk  assessment  and  the 
techniques  for  applying  risk  assessment. 


31 


COMPUTER  SECURITY  POLICY  AND  PROCEDURES 
FOR  END  USERS 


COURSE  TITLE:  Federal  AIS  Computer  Security  Requirements 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  begins  with  a review  of  the  Federal  Computer  Security  framework  and  an 
introduction  to  the  key  players  and  legislation  that  has  shaped  Federal  Computer  Security  policy. 
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CONTINGENCY  PLANNING 
FOR  END  USERS 


COURSE  TITLE:  Continuity  of  Operations/Disaster  Recovery  Planning:  Part  I 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  outlines  the  steps  to  be  performed  to  determine  backup/recovery  requirements,  and 
effectively  plan  and  develop  a COOP/DRP  for  both  applications  and  installations. 

COURSE  TITLE:  Continuity  of  Operations/Disaster  Recovery  Planning:  Part  El  Workshop 
COURSE  LENGTH:  3 DAYS 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-0800 

This  course  will  be  specifically  tailored  toward  the  individual  course  audiences’  environment. 
To  accomplish  this,  research  questionnaires  must  be  completed  by  course  participants  prior  to 
attending.  These  questionnaires  will  provide  the  baseline  hardware,  software,  physical,  and 
operational  environments  critical  to  the  development  of  a discreet  COOP/DRP. 

COURSE  TITLE:  Physical  Security  for  Data  Processing 
COURSE  LENGTH:  2 DAYS 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  essential  training  to  personnel  in  the  areas  of  physical  and  environmental 
security  in  both  large  scale  (mainframes)  and  small  scale  (PC)  processing  environments. 
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SYSTEMS  LIFE  CYCLE  MANAGEMENT 
FOR  END  USERS 


COURSE  TITLE:  Risk  Assessment 
COURSE  LENGTH:  1 DAY 

VENDOR 

COMSIS 

8737  Colesville  Road,  Suite  1100 
Silver  Spring,  MD  20910 
(301)  588-5922 

This  course  provides  a global  examination  of  computer  security  risk  assessment  and  the 
techniques  for  applying  risk  assessment. 
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